[development] access module

Dmitri G dmitrig01 at gmail.com
Fri Aug 22 16:46:43 UTC 2008


I disagree with the fact that you turn to JavaScript as an access
logging solution.

Access logging needs to log *everything*, but what if a user has
JavaScript turned off, as many do?
Oh well. They won't be logged.

Why don't you use hook_boot, which is new in Drupal 6, and runs for
*every* page, even ones that are cached aggressively. That way, you
don't run into problems of generating tokens (which you would have to
do per-page-load) and such.

Dmitri

On Fri, Aug 22, 2008 at 8:55 AM, Balazs Dianiska <csillagasz at gmail.com> wrote:
>> I wouldn't worry too much about misuse, since people could just visit the
>> page hundreds of times anyway to achieve the same result - just make a post
>> request to a javascript menu callback, and log from there.
>
> I was concerned about that one could fabricate a post call and do it
> programmaticaly. Having validation at least requires semi-real visits
> from a JS capable browser and some automatization, which hopefully is
> a little bit more difficult to do on large scale than the fabrication.
>
> However it just dawned on me that I could just check for a session in
> the callback code, which should prevent most fabrications to work.
>
> Earnie: yes I looked at other alternatives, but none of them seems to
> give me the simple output of the standard access module, just more
> accurately (-bots).
>
> Thanks for the feedback,
> Balazs
>


More information about the development mailing list