18.10.2016 Views

Drupal 7 Module Development

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>Drupal</strong> Permissions and Security<br />

}<br />

}<br />

}<br />

// as the empty string denotes the anonymous user. In case we<br />

// are dealing with an anonymous user we set the user ID to 0.<br />

form_set_error('name', t('The username %name does not exist.',<br />

array('%name' => $node->name)));<br />

// Validate the "authored on" field.<br />

if (!empty($node->date) && strtotime($node->date) === FALSE) {<br />

form_set_error('date', t('You have to specify a valid date.'));<br />

}<br />

// Do node-type-specific validation checks.<br />

node_invoke($node, 'validate', $form);<br />

module_invoke_all('node_validate', $node, $form);<br />

The inclusion of this access check may add a level of error prevention—in that<br />

users who cannot 'administer nodes' cannot alter the author without special<br />

permissions—but it does not make <strong>Drupal</strong> itself more secure. That is because the<br />

security for this form element is already set in the $form definition, so its usage<br />

here is redundant:<br />

// Node author information for administrators<br />

$form['author'] = array(<br />

'#type' => 'fieldset',<br />

'#access' => user_access('administer nodes'),<br />

'#title' => t('Authoring information'),<br />

'#collapsible' => TRUE,<br />

'#collapsed' => TRUE,<br />

'#group' => 'additional_settings',<br />

'#attached' => array(<br />

'js' => array(drupal_get_path('module', 'node') . '/node.js'),<br />

),<br />

'#weight' => 90,<br />

);<br />

Instead, placing an access check in the validate handler forces a module author to<br />

work around the code by replacing the core node_validate() and node_submit()<br />

callbacks, which may introduce additional errors or security holes in the code.<br />

For this reason, module authors are strongly discouraged from running access checks<br />

during form processing.<br />

[ 234 ]

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!