[development] Protecting URLS From Path

Daniel F. Kudwien news at unleashedmind.com
Tue Nov 23 03:38:42 UTC 2010

> A user had created a page describing the single sign on process and 
> given it the same URL as my menu_hook was registered, thus overriding 
> the behavior provided by my module.
> So I thought I'd ask.  Anyone know of a way for me to ensure that 
> other menu paths (specifically aliases) cannot override the 
> one provided by my module?

The Path/URL Alias API is still very poor, especially in D6.  For D7, we heavily
improved it, but I doubt that there is a clean way for your module to invalidate
resp. prevent a path alias from being stored.

The possibility of being able to alias real/internal paths is a powerful
feature.  But of course, users who do not know about Drupal's system internals
can unintentionally break actual module functionality by entering an alias that
is identical to a system path.

An easy way around this is to use modules like Pathauto and to configure/tweak
them so that all aliases follow a "secure" pattern, without allowing users to
override the alias to be "insecure".

I just did a quick search but couldn't find a module that tries to implement URL
alias validation.  I'd say that such a validation would be really useful - and
should even considered to be moved into core's Path module for D8.


More information about the development mailing list