[development] Change URL on ajax call, but enforce access checks?

Yuval Hager yuval at avramzon.net
Sun Jun 1 12:07:50 UTC 2008


I'm trying to understand what is the best way to supply URL based content 
through Ajax, without compromising on security and access control.

When the user clicks on the widget, an ajax URL is called upon and served by a 
menu callback (e.g. http://example.com/myajax). 
I'd like to also relate to the URL that the widget is displayed upon. This is 
easily achieved by using a GET parameter on the ajax URL (e.g. 

The myajax callback might call other functions in the system that use argument 
checking (e.g. arg(0) == 'user' && is_numeric(arg(1) )). This is necessary if 
I want to use the same functions to generate content for the non-JS version. 
Therefore, I set:
  $_GET['q'] = $_GET['referer'];
before calling those other functions.

Assuming I don't know anything about those "other functions", this looks to me 
like a security risk. Since the whole access sub-system is using 'myajax' as 
the path for access checks. 
Those "other functions" might assume that access checks where already ran by 
Drupal subsystem, which I just bypassed.

Can you see a better way to implement this? maybe I should check 
_menu_item_is_accessible(menu_set_active_item($_GET['referer']))? It seems to 
work but looks a bit hackish to me...

Any help will be appreciated,


Yuval Hager
[T] +972-77-341-4155
[@] yuval at avramzon.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.drupal.org/pipermail/development/attachments/20080601/35f087ff/attachment.pgp 

More information about the development mailing list