I struggle to set up custom access rules for "nodes" that are viewed via the
- jsonApi
- entityQueries which response via json endpoint
What I try to achieve:
I need to skip a node, that belongs to an authors user account that is not within running subscription. (the state if a user has a valid subscription is defined by a date value ... so if field_date_subscription_ends is < "now" = "false").
I need to skip a node that has a field_show_until_date. Again if now is larger I want to skip this entity in jsonApi responses and entityQuery responses.
Both these rules should be valid for just anonymous users
I found out:
- hook_entity_access is never called by entityQueries or the jsonApi.
- xxx_node_grants should work but as it does not provide logic in real time but instead just when the node is saved I have no idea how to define a custom permission dependent on author:field_date_subscription_ends.
What I do not want is to filter this within the query. Also as far as I know this is anyways not supported by the jsonAPI.
I could run xxx_node_access_records for every existing node on cron to rebuild access rights dependent on the now date... but this seems totally insecure.
I just cannot believe that it is not possible to check on operation "view" if a nodes author has a specific field value.
But as this topic is new to me... most likely I am just not informed about the really cool solutions that I just don't know about :)
Is the xxx_node_grants way to recreate node access on every cron the right way to go or is there a way to check against a computed result somehow?
