https://www.tag1consulting.com/ en https://www.tag1consulting.com/blog/access-control <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"> Drupal 7 In Drupal 7, a hook_node_access implementation could return NODE_ACCESS_IGNORE , NODE_ACCESS_ALLOW and NODE_ACCESS_DENY . If any of them returned NODE_ACCESS_DENY then access was denied. If neither did but one returned NODE_ACCESS_ALLOW then access was allowed. If neither of these values were returned by any implementation then the decision was made based on other rules but at the end of the day some code needed to grant access explicitly or access was denied. Other entities didn’t have access control. Also, blocks had some sort of access control in a very strange way: hook_block_list_alter is used -- even by core -- to remove the non-visible blocks. Drupal 8 Drupal 8 brings a unified entity API -- even blocks become entities. It also uses many of the same objects and concepts for routing access. Instead of constants, we now use objects implementing the AccessResultInterface . You can get an instance by calling the rather self descriptive AccessResult::allowed() , AccessResult::forbidden() , AccessResult::neutral() methods. If you are handed an AccessResultInterface object you can figure out which one it is by calling the isAllowed , isForbidden , isNeutral methods on it. Only one of them can return TRUE. Access results can be cached and... <div class="more-link"><a href="/blog/access-control" class="more-link" aria-label="Read more about Access Control" hreflang="en">Read more</a></div> </div> <span><span>ChX</span></span> <span><time datetime="2015-05-21T06:35:18-07:00" title="Thursday, May 21, 2015 - 06:35">Thu, 05/21/2015 - 06:35</time> </span> Thu, 21 May 2015 13:35:18 +0000 ChX 52 at https://www.tag1consulting.com