Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

Access by Reference

456 sites Security covered
View on drupal.org

This module grants users read, update, or delete permissions on nodes based on various criteria. These include whether a node references the user directly, shares a profile value with the user, or inherits permissions from a referenced user or node. Permissions can be chained, but users should configure them carefully to avoid infinite loops.

Lightweight module that extends read, update or delete permissions to a user in the following cases:

  1. "User": The node references the user
  2. "User's mail"The node references the user's e-mail
  3. "Profile value": The node has a value in a specified field that is the same as one in the user's profile
  4. "Inherit from parent": The node references a node or user that the user has certain permissions on.

In each case, the rule only applies to logged-in users with general permission to access nodes by reference, and only on the node types and field names set in the configuration page.

Permissions are "chainable", but note that there is no protection against infinite loops, so some care is advised in configuration.

Example

Let's suppose you have a content type Sailboat (yacht_profile). Apart from the conventional methods, to use our system to extend edit access, you can do one of the following three things:

1. "User": Add a user_reference field to the yacht_profile content type, edit a Sailboat node to reference User1, and in the box labeled Grant Access to User referenced in this field, enter yacht_profile|user_reference and save.

2. "Profile value": Add a number or text field to the yacht_profile content type, like a membership_number, and use that same field in the user profile. Edit both to have the same value. In the box labeled Grant Access to User with Common Profile Value, enter yacht_profile|membership_number.

3. "Inherit from parent": Create another content type called Fleet. Let the "owner" of the fleet be in charge of all the boats in that fleet. Create an entity reference field in yacht_profile called my_fleet. Give User1 edit access to a new Fleet node, and also edit one or more sailboat nodes to refer to that node in my_fleet. In the box labeled Grant Access to Editor of Referenced Node, enter yacht_profile|my_fleet.

In all cases, be sure to set permissions to allow authenticated users to use Access by Reference.

Other Node Access Modules

Activity

Total releases
5
First release
Apr 2025
Latest release
1 month ago
Releases (12 mo)
2 ▼ from 3
Maintenance
Active

Release Timeline

Releases

Version Type Release date
5.0.0 Stable Jun 14, 2026
5.0.x-dev Dev Jun 14, 2026
4.0.1 Stable May 12, 2025
4.0.0 Stable Apr 28, 2025
4.0.x-dev Dev Apr 25, 2025