[development] Making #access required on forms

Gerhard Killesreiter gerhard at killesreiter.de
Fri Oct 24 18:37:43 UTC 2008

Hash: SHA1

Moshe Weitzman schrieb:
>> as more an more people use Drupal to provide non-traditional Webpages
>> (e.g. providing services using Ajax, Flex, ...) our traditional access
>> permission checks in hook_menu are less than ideal.
> I don't see a problem here. It is up to the service that exposes the
> functionality to control access. It feels like this is a solution in
> search of a problem.

I've encountered the same problem for a second time today. The problem
can be summarized as "submit a form in a way that does not involve
rendering a html page".

> Can we identify some more concrete use cases or an SA that would
> have been avoided had we implemented this?

- From the fact that I needed this functionality, I infer that there are
others who need it too.

I've found 111 invocations of drupal_execute in CVS for D5 alone. I
guess that there are 2-10 SAs in there.

>> For example, you can use drupal_execute to conveniently create content
>> or anything else. However, no check for access permissions is done since
>> this only happens in the menu hook for node/add/whatever.
> thats a feature. use reponsibly, just like the rest of our php code.

It is annoying if you want to do exactly that. To get around the
problem of #access-less forms, I need to hook_form_alter #access to
false for all of them and then one-by-one set permissions for the ones
I need.

Version: GnuPG v1.4.9 (GNU/Linux)


More information about the development mailing list