[development] Making #access required on forms

Angela Byron drupal-devel at webchick.net
Fri Oct 24 16:00:33 UTC 2008

Gerhard brought this up on the security team list, but it seems like 
it's worth broader discussion:


Hi there,

as more an more people use Drupal to provide non-traditional Webpages
(e.g. providing services using Ajax, Flex, ...) our traditional access
permission checks in hook_menu are less than ideal.

For example, you can use drupal_execute to conveniently create content
or anything else. However, no check for access permissions is done since
this only happens in the menu hook for node/add/whatever.

I therefore propose to push for D7 that the #access parameter on forms
be made mandatory.



My initial thought on the downside is that this has implications for 
people who are using drupal_execute() to perform programmatic tasks 
(node/block/etc. creation, etc.); they would no longer work unless the 
script switched to user with the proper credentials (so we should 
probably get a nice user switching API function in core). It is also 
something in the upgrade steps that, if missed, will cause forms to 
completely disappear which is bound to result in support requests.

On the other hand, it would provide extra security and would be akin to 
the way we force menu callbacks to provide an access control or they 
don't appear for anyone. It might also help us clean up some nasty 
places in core (node form, I am looking at you) where we have if 
(user_access(...)) hard-coded.

So, I echo: opinions? :)


More information about the development mailing list