[development] Protecting URLS From Path
Daniel F. Kudwien
news at unleashedmind.com
Tue Nov 23 03:38:42 UTC 2010
> A user had created a page describing the single sign on process and
> given it the same URL as my menu_hook was registered, thus overriding
> the behavior provided by my module.
>
> So I thought I'd ask. Anyone know of a way for me to ensure that
> other menu paths (specifically aliases) cannot override the
> one provided by my module?
The Path/URL Alias API is still very poor, especially in D6. For D7, we heavily
improved it, but I doubt that there is a clean way for your module to invalidate
resp. prevent a path alias from being stored.
The possibility of being able to alias real/internal paths is a powerful
feature. But of course, users who do not know about Drupal's system internals
can unintentionally break actual module functionality by entering an alias that
is identical to a system path.
An easy way around this is to use modules like Pathauto and to configure/tweak
them so that all aliases follow a "secure" pattern, without allowing users to
override the alias to be "insecure".
I just did a quick search but couldn't find a module that tries to implement URL
alias validation. I'd say that such a validation would be really useful - and
should even considered to be moved into core's Path module for D8.
sun
More information about the development
mailing list