Hi List, I was just wondering. Now that there are separate hooks for the node API, is it necessary to check for permissions in every hook? E.g. The scheduler module has a permission for scheduling nodes. Do I need to check for that permission in lets say scheduler_node_update()? Regards, Eric
Technically, yes. But I would urge you not to check user_access() during such an operation. Doing so can break automated calls to node hooks. See Dave Cohen's bug report last week regarding comment form submission. It's related. Better to set a conditional form value to pass to your operation. (And this can be access-based.) Then only act if it is present.
Hi, OK. There are access checks that prevent that user with the right privilege will see or can edit schedulers values. There were also checks in hook_nodeapi (except for $op=='load') when I inherited the module. I always wondered if they were necessary. I guess not. Thanks, Eric
On Sat, 2011-02-05 at 20:31 +0100, Eric Schaefer wrote:
Hi List,
I was just wondering. Now that there are separate hooks for the node API, is it necessary to check for permissions in every hook? E.g. The scheduler module has a permission for scheduling nodes. Do I need to check for that permission in lets say scheduler_node_update()?
No, don't. The full access check is menu based. Implementation of your hooks are pure API therefore shouldn't care about right (except for the view related stuff). Higher level API should take care of the user rights, not the low level API IMHO. Pierre.
Scheduler uses a hook_form_alter to add the scheduling dates to the node form. That's where the access check belongs. In that function, either create the fields (authorized) or not (not authorized) to the form. Then scheduler_node_update can check the presence of the field. BTW, it should probably be the same way in D6 (except "hook_nodeapi('update'..."). Nancy Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr. ________________________________ From: Pierre Rineau <pierre.rineau@makina-corpus.com> To: development@drupal.org Sent: Sat, February 5, 2011 8:55:18 PM Subject: Re: [development] hook_node_*() On Sat, 2011-02-05 at 20:31 +0100, Eric Schaefer wrote:
Hi List,
I was just wondering. Now that there are separate hooks for the node API, is it necessary to check for permissions in every hook? E.g. The scheduler module has a permission for scheduling nodes. Do I need to check for that permission in lets say scheduler_node_update()?
No, don't. The full access check is menu based. Implementation of your hooks are pure API therefore shouldn't care about right (except for the view related stuff). Higher level API should take care of the user rights, not the low level API IMHO. Pierre.
participants (4)
-
Eric Schaefer -
Ken Rickard -
nan wich -
Pierre Rineau