nan_wich at bellsouth.net
Sun Feb 6 02:55:38 UTC 2011
Scheduler uses a hook_form_alter to add the scheduling dates to the node form.
That's where the access check belongs. In that function, either create the
fields (authorized) or not (not authorized) to the form. Then
scheduler_node_update can check the presence of the field. BTW, it should
probably be the same way in D6 (except "hook_nodeapi('update'...").
Injustice anywhere is a threat to justice everywhere. -- Dr. Martin L. King, Jr.
From: Pierre Rineau <pierre.rineau at makina-corpus.com>
To: development at drupal.org
Sent: Sat, February 5, 2011 8:55:18 PM
Subject: Re: [development] hook_node_*()
On Sat, 2011-02-05 at 20:31 +0100, Eric Schaefer wrote:
> Hi List,
> I was just wondering. Now that there are separate hooks for the node
> API, is it necessary to check for permissions in every hook? E.g. The
> scheduler module has a permission for scheduling nodes. Do I need to
> check for that permission in lets say scheduler_node_update()?
No, don't. The full access check is menu based. Implementation of your
hooks are pure API therefore shouldn't care about right (except for the
view related stuff).
Higher level API should take care of the user rights, not the low level
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the development