[development] Making #access required on forms
Gerhard Killesreiter
gerhard at killesreiter.de
Fri Oct 24 18:37:43 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Moshe Weitzman schrieb:
>> as more an more people use Drupal to provide non-traditional Webpages
>> (e.g. providing services using Ajax, Flex, ...) our traditional access
>> permission checks in hook_menu are less than ideal.
>
> I don't see a problem here. It is up to the service that exposes the
> functionality to control access. It feels like this is a solution in
> search of a problem.
I've encountered the same problem for a second time today. The problem
can be summarized as "submit a form in a way that does not involve
rendering a html page".
> Can we identify some more concrete use cases or an SA that would
> have been avoided had we implemented this?
- From the fact that I needed this functionality, I infer that there are
others who need it too.
I've found 111 invocations of drupal_execute in CVS for D5 alone. I
guess that there are 2-10 SAs in there.
>> For example, you can use drupal_execute to conveniently create content
>> or anything else. However, no check for access permissions is done since
>> this only happens in the menu hook for node/add/whatever.
>
> thats a feature. use reponsibly, just like the rest of our php code.
It is annoying if you want to do exactly that. To get around the
problem of #access-less forms, I need to hook_form_alter #access to
false for all of them and then one-by-one set permissions for the ones
I need.
Cheers,
Gerhard
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkCFfcACgkQfg6TFvELooQp7gCgnb7K7KEcV7wbgZmEUeXkBKTw
R4AAni9wGxk5iuEj2GF9bfHaoOFT2W5Q
=I9p8
-----END PGP SIGNATURE-----
More information about the development
mailing list