[development] Changing Roles (was Deleting Cached Permissions)

Karoly Negyesi karoly at negyesi.net
Tue Aug 28 11:04:11 UTC 2007

Finally, we have a goal: "I want to change access control to a certain page based on various input (like GET) variables".

Just overdefine the menu item that you want to change and define your access mechanism. Because node/add is defined as cached you can put your menu definiton in !$may_cache with the same path -- it will overwrite the original definition. In Drupal 6, you want to do a hook_menu_alter and use your own access callback. This does not need fiddling with core.

Changing user_access could lead to very obscure and hard to debug priviledge escalation holes: some code may make presumptions about if a page is allowed by menu then certain permissions are set which might not be true if you fiddle with roles on the fly. Saying that this does not happen currently won't change the fact that it could. 



More information about the development mailing list