[drupal-devel] [bug] Path module allows one to override existing
(non-aliased) paths.
Boris Mann
drupal-devel at drupal.org
Tue Feb 15 23:18:30 UTC 2005
Project: Drupal
Version: cvs
Component: path.module
Category: bug reports
Priority: critical
Assigned to: Anonymous
Reported by: adrian
Updated by: Boris Mann
Status: patch
When adrian said "user", he meant a site admin who is using one of our
hosted installs.
The issue remains: anyone can alias "admin" or any other existing path,
which will override existing pages.
Boris Mann
Previous comments:
------------------------------------------------------------------------
February 15, 2005 - 12:51 : adrian
Attachment: http://drupal.org/files/issues/path_menu_exists.diff (2.27 KB)
One of our users recently tried to link to /admin , using the path
module. And the link was allowed to be created.
This meant his admin menu was disabled, which should not be able to
happen.
Attached is a function added to menu.inc that steps through all the
menu items, and finds out if there is a callback registered for a
specific path, unfortunately there still exists a few problems :
Only explicitly registered callbacks are detected. For instance: 'node'
will be picked up, but 'node/12' will be allowed. This is not as easy to
test for, because of how pages default back to the top most callback,
and pass the rest of the fields as paramaters. The only way to work
around this is to explicitly define all callbacks that use parameters
with a 'paramaters'=> true in the item.
When an additional module gets enabled, any already specified links
will take precedence over the new links created by it.
------------------------------------------------------------------------
February 15, 2005 - 14:47 : Axel
I think just not allow to users change paths - this instrument is for
site admins/editors only. Additional checks will slow down path module.
If site admin want to allow users change paths to their own manner then
such job must doing by separate module, which will offer interface for
change paths with restrictions and additional checks.
--
View: http://drupal.org/node/17386
Edit: http://drupal.org/project/comments/add/17386
More information about the drupal-devel
mailing list