[development] Change URL on ajax call, but enforce access checks?
Yuval Hager
yuval at avramzon.net
Sun Jun 1 12:07:50 UTC 2008
Hi,
I'm trying to understand what is the best way to supply URL based content
through Ajax, without compromising on security and access control.
When the user clicks on the widget, an ajax URL is called upon and served by a
menu callback (e.g. http://example.com/myajax).
I'd like to also relate to the URL that the widget is displayed upon. This is
easily achieved by using a GET parameter on the ajax URL (e.g.
http://example.com/myajax?referer=user/2)
The myajax callback might call other functions in the system that use argument
checking (e.g. arg(0) == 'user' && is_numeric(arg(1) )). This is necessary if
I want to use the same functions to generate content for the non-JS version.
Therefore, I set:
<?php
$_GET['q'] = $_GET['referer'];
?>
before calling those other functions.
Assuming I don't know anything about those "other functions", this looks to me
like a security risk. Since the whole access sub-system is using 'myajax' as
the path for access checks.
Those "other functions" might assume that access checks where already ran by
Drupal subsystem, which I just bypassed.
Can you see a better way to implement this? maybe I should check
_menu_item_is_accessible(menu_set_active_item($_GET['referer']))? It seems to
work but looks a bit hackish to me...
Any help will be appreciated,
Thanks,
--
Yuval Hager
[T] +972-77-341-4155
[@] yuval at avramzon.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.drupal.org/pipermail/development/attachments/20080601/35f087ff/attachment.pgp
More information about the development
mailing list