<br><br><div class="gmail_quote">On Fri, Oct 24, 2008 at 12:00 PM, Angela Byron <span dir="ltr"><<a href="mailto:drupal-devel@webchick.net">drupal-devel@webchick.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Gerhard brought this up on the security team list, but it seems like it's worth broader discussion:<br>
<br>
---<br>
<br>
Hi there,<br>
<br>
as more an more people use Drupal to provide non-traditional Webpages<br>
(e.g. providing services using Ajax, Flex, ...) our traditional access<br>
permission checks in hook_menu are less than ideal.<br>
<br>
For example, you can use drupal_execute to conveniently create content<br>
or anything else. However, no check for access permissions is done since<br>
this only happens in the menu hook for node/add/whatever.<br>
<br>
I therefore propose to push for D7 that the #access parameter on forms<br>
be made mandatory.<br>
<br>
Opinions?<br>
<br>
---<br>
<br>
My initial thought on the downside is that this has implications for people who are using drupal_execute() to perform programmatic tasks (node/block/etc. creation, etc.); they would no longer work unless the script switched to user with the proper credentials (so we should probably get a nice user switching API function in core). It is also something in the upgrade steps that, if missed, will cause forms to completely disappear which is bound to result in support requests.<br>
<br>
On the other hand, it would provide extra security and would be akin to the way we force menu callbacks to provide an access control or they don't appear for anyone. It might also help us clean up some nasty places in core (node form, I am looking at you) where we have if (user_access(...)) hard-coded.<br>
<br>
So, I echo: opinions? :)<br>
<br>
-Angie</blockquote><div><br></div><div>I don't think that it should be a requirement or forced on developers. I do think it should be recommended. The processing, submission, and validation logic will have to be updated per form, especially if #access is used at the element level. #access is there and has been there. If someone has a good idea of a way to use it more effectively, document it and promote the approach.</div>
</div><br><div><br></div>