[development] Change URL on ajax call, but enforce access checks?
Yuval Hager
yuval at avramzon.net
Mon Jun 2 04:14:28 UTC 2008
On Sunday 01 June 2008, Moshe Weitzman wrote:
> arg() checking is discouraged in modern drupal for this very reason.
> each drupal release we have been able to get rid of more of them in
> core and with the D6 menu system, I really doubt we need any of these
> calls to arg(). contrib modules that use arg() for access control
> should refactor and let the menu system handle access control.
>
> your workaround looks fine if it works and has no side effects. needs
> testing.
It looked like it was working in most cases, but there is a certain case where
it fails.
If user with uid==1 (admin) is browsing the site, running:
<?php
menu_set_active_item('user/2');
if (!_menu_item_is_accessible(menu_get_active_item())) {
drupal_access_denied();
}
?>
gets me access denied every time. I tried to follow the code using a debugger,
but can't get my head around the structure of $menu. Any idea how to get the
access checking results correctly here?
(btw, this is Drupal 5.x)
--
Yuval Hager
[T] +972-77-341-4155
[@] yuval at avramzon.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.drupal.org/pipermail/development/attachments/20080602/11de9fef/attachment.pgp
More information about the development
mailing list