Drupal 7 Module Development

Recommendations

Info

Chapter 8 Handling AJAX callbacks securely Drupal 7 comes with an enhanced AJAX framework that makes it easy to build interactive display elements for pages and forms. The security problem for Drupal is that AJAX callbacks take the form of menu callbacks, which unlike most Drupal forms, are essentially GET requests to the browser. This fact means that any request to an AJAX callback must be treated as malicious and that all such requests must be tested for validity before an AJAX response can be sent. Using AJAX in forms When using the #ajax element with the Forms API, Drupal automatically secures the AJAX callback by checking the validity of the form request. This action only works, of course, if you follow the FormsAPI correctly. Using the #ajax form element triggers the ajax_get_form() function, which uses form_build_id to test for validity: function ajax_get_form() { $form_state = form_state_defaults(); $form_build_id = $_POST['form_build_id']; // Get the form from the cache. $form = form_get_cache($form_build_id, $form_state); if (!$form) { // If $form cannot be loaded from the cache, the form_build_id // in $_POST must be invalid, which means that someone // performed a POST request onto system/ajax without actually // viewing the concerned form in the browser. // This is likely a hacking attempt as it never happens under // normal circumstances, so we just do nothing. watchdog('ajax', 'Invalid form POST data.', array(), WATCHDOG_WARNING); drupal_exit(); } // ... As we saw in the preceding section that form_build_id ensured that the form request was issued by the Drupal site and was valid. [ 235 ]
Drupal Permissions and Security Using AJAX in other contexts While form handling of AJAX provides both a tidy API and a security check, we are not so lucky when using other AJAX callbacks. To quote Greg Knaddison, member of the Drupal security team and author of Cracking Drupal, the definitive work on Drupal security: [I]t is often tempting when building a rich AJAX feature to slip back into creating a CSRF vulnerability via GET requests….However, because this practice of taking action in response to GET requests is not as common or standard as the form system, there is no way to provide this protection automatically or easily. Cracking Drupal, pg 18. To understand the point, let's look at a typical AJAX menu callback use case. Suppose we want a module that allows users to add or delete items from a list via a dynamic AJAX callback. The module might set up something like the following: function example_menu() { $items = array(); $items['example-ajax/%item/add'] = array( 'title' => 'Example AJAX add to list', 'page callback' => 'example_ajax_add', 'page arguments' => array(1), 'access arguments' => array('add to my list'), 'type' => MENU_CALLBACK, ); return $items; } function example_ajax_add($item) { // Do something. } Looking at the preceding code, several issues should be immediately apparent: • The default access callback user_access() is probably insufficient, since we are managing a per-user list • The permission add to my list provides no means to check if the user is the owner of the list being edited • Simply trying to hide the menu item from the site navigation (through the use of the MENU_CALLBACK property) will not prevent other users (or even search engine crawlers) from eventually finding the page [ 236 ]
Page 1 and 2:
www.allitebooks.com
Page 3 and 4:
Drupal 7 Module Development Copyrig
Page 5 and 6:
Foreword Drupal has its roots in th
Page 7 and 8:
About the Authors Matt Butcher is a
Page 9 and 10:
Larry Garfield is a Senior Architec
Page 11 and 12:
John Albin Wilkins has been a web d
Page 13 and 14:
Jojodae Ganesh Sivaji has been invo
Page 15 and 16:
Why Subscribe? • Fully searchable
Page 17 and 18:
Table of Contents Tools for develop
Page 19 and 20:
Table of Contents A shortcut for sy
Page 21 and 22:
Table of Contents Using hook_node_a
Page 23 and 24:
Table of Contents Creating a task 3
Page 25 and 26:
Preface Chapter 5, Building an Admi
Page 27 and 28:
Preface The system for handling thi
Page 30 and 31:
Developing for Drupal 7 Drupal is a
Page 32 and 33:
However, what we do want to start w
Page 34 and 35:
The Operating System Chapter 1 Wind
Page 36 and 37:
Chapter 1 Drupal core is the founda
Page 38 and 39:
Chapter 1 The database We have take
Page 40 and 41:
Chapter 1 The responsibility of the
Page 42 and 43:
Chapter 1 While one could imagine t
Page 44 and 45:
Chapter 1 We assume that you have y
Page 46:
Chapter 1 The following are a few o
Page 49 and 50:
Creating Your First Module We are g
Page 51 and 52:
Creating Your First Module As obvio
Page 53 and 54:
Creating Your First Module By Drupa
Page 55 and 56:
Creating Your First Module The next
Page 57 and 58:
Creating Your First Module When Dru
Page 59 and 60:
Creating Your First Module Doxygen-
Page 61 and 62:
Creating Your First Module The help
Page 63 and 64:
Creating Your First Module Drupal s
Page 65 and 66:
Creating Your First Module Finally,
Page 67 and 68:
Creating Your First Module Here's o
Page 69 and 70:
Creating Your First Module ); } } r
Page 71 and 72:
Creating Your First Module Not in J
Page 73 and 74:
Creating Your First Module There ar
Page 75 and 76:
Creating Your First Module The exam
Page 77 and 78:
Creating Your First Module Setting
Page 79 and 80:
Creating Your First Module } ); pub
Page 81 and 82:
Creating Your First Module You migh
Page 83 and 84:
Creating Your First Module The repo
Page 85 and 86:
Drupal’s Theme Layer This book is
Page 87 and 88:
Drupal’s Theme Layer There are ac
Page 89 and 90:
Drupal’s Theme Layer Theme engine
Page 91 and 92:
Drupal’s Theme Layer Preprocess f
Page 93 and 94:
Drupal’s Theme Layer A Drupal the
Page 95 and 96:
Drupal’s Theme Layer The theme()
Page 97 and 98:
Drupal’s Theme Layer Now, if you
Page 99 and 100:
Drupal’s Theme Layer A similar pr
Page 101 and 102:
Drupal’s Theme Layer Now, that wa
Page 103 and 104:
Drupal’s Theme Layer • #suffix:
Page 105 and 106:
Drupal’s Theme Layer Two powerful
Page 107 and 108:
Drupal’s Theme Layer 'menu_tree__
Page 109 and 110:
Drupal’s Theme Layer If a functio
Page 111 and 112:
Drupal’s Theme Layer We've also s
Page 113 and 114:
Drupal’s Theme Layer Summary You'
Page 115 and 116:
Theming a Module After all, if you
Page 117 and 118:
Theming a Module * Enables a single
Page 119 and 120:
Theming a Module * First draft! * *
Page 121 and 122:
Theming a Module Theming a Drupal b
Page 123 and 124:
Theming a Module Converting a theme
Page 125 and 126:
Theming a Module if (is_array($elem
Page 127 and 128:
Theming a Module Notice that the .b
Page 129 and 130:
Theming a Module } $block['content'
Page 131 and 132:
Theming a Module } 'variables' => a
Page 133 and 134:
Theming a Module } // Theme the use
Page 135 and 136:
Theming a Module // Create links fo
Page 137 and 138:
Theming a Module } // Load the acco
Page 139 and 140:
Theming a Module * - $user: The use
Page 141 and 142:
Theming a Module Summary In this ch
Page 143 and 144:
Building an Admin Interface Startin
Page 145 and 146:
Building an Admin Interface $items[
Page 147 and 148:
Building an Admin Interface 'access
Page 149 and 150:
Building an Admin Interface Each ar
Page 151 and 152:
Building an Admin Interface Other p
Page 153 and 154:
Building an Admin Interface Each el
Page 155 and 156:
Building an Admin Interface Drupal
Page 157 and 158:
Building an Admin Interface This is
Page 159 and 160:
Building an Admin Interface Form su
Page 161 and 162:
Building an Admin Interface A short
Page 163 and 164:
Building an Admin Interface } retur
Page 165 and 166:
Building an Admin Interface PHP mai
Page 167 and 168:
Building an Admin Interface Impleme
Page 169 and 170:
Building an Admin Interface Debuggi
Page 171 and 172:
Building an Admin Interface This te
Page 174 and 175:
Working with Content Drupal 7 intro
Page 176 and 177:
Chapter 6 The Schema API allows dat
Page 178 and 179:
'fields' => array( 'aid' => array(
Page 180 and 181:
Chapter 6 'fieldable' => TRUE, 'ent
Page 182 and 183:
Chapter 6 The return value from the
Page 184 and 185:
Chapter 6 In our case, we defined t
Page 186 and 187:
Chapter 6 Most entity operations in
Page 188 and 189:
[ 165 ] Chapter 6 This callback sim
Page 190 and 191:
Chapter 6 This page will simply gen
Page 192 and 193:
Chapter 6 This hook defines a new f
Page 194 and 195:
Submit callback The submit callback
Page 196 and 197:
Chapter 6 // Save the initial revis
Page 198 and 199:
Chapter 6 Master/slave database con
Page 200 and 201:
Chapter 6 array($artwork->aid => $a
Page 202 and 203:
Chapter 6 'access arguments' => arr
Page 204 and 205:
Chapter 6 } foreach ($artworks as $
Page 206 and 207:
Creating New Fields In the last cha
Page 208 and 209: Chapter 7 Although an advanced topi
Page 210 and 211: Chapter 7 The most important magic
Page 212 and 213: Chapter 7 } } '#type' => 'select',
Page 214 and 215: Chapter 7 Exposing fields to the Fo
Page 216 and 217: Chapter 7 $element['width'] = array
Page 218 and 219: Chapter 7 if ($widget['type'] == 'd
Page 220 and 221: Chapter 7 } return; 'field_ui_field
Page 222 and 223: Chapter 7 } function theme_dimfield
Page 224 and 225: Chapter 7 } '@height' => $item['hei
Page 226 and 227: Chapter 7 } else if ($settings['uni
Page 228 and 229: Chapter 7 We can, of course, have m
Page 230 and 231: Chapter 7 To demonstrate how entity
Page 232 and 233: [ 209 ] Chapter 7 Now look at that
Page 234 and 235: Drupal Permissions and Security Per
Page 236 and 237: Chapter 8 The preceding code checks
Page 238 and 239: Chapter 8 If we had accidentally ru
Page 240 and 241: Chapter 8 The user_access() functio
Page 242 and 243: In the first case, Are we looking a
Page 244 and 245: Chapter 8 Declaring your own access
Page 246 and 247: } Chapter 8 'page callback' => 'exa
Page 248 and 249: Chapter 8 if (!flood_is_allowed('co
Page 250 and 251: [ 227 ] Chapter 8 Enabling permissi
Page 252 and 253: Chapter 8 } $permissions = array( '
Page 254 and 255: Chapter 8 This approach is the prop
Page 256 and 257: Chapter 8 Running access checks on
Page 260 and 261: Chapter 8 As a result, we cannot tr
Page 262 and 263: Chapter 8 This allows us to pass a
Page 264 and 265: Node Access Out-of-the-box, Drupal
Page 266 and 267: Chapter 9 The Node Access API allow
Page 268 and 269: * - "delete" * - "create" * @param
Page 270 and 271: Chapter 9 if (!user_access('access
Page 272 and 273: Chapter 9 } if (module_implements('
Page 274 and 275: Chapter 9 hook_node_access() is the
Page 276 and 277: Chapter 9 Note that the {node_acces
Page 278 and 279: Chapter 9 The basic permission 'cre
Page 280 and 281: Chapter 9 It is a good idea to writ
Page 282 and 283: Chapter 9 On node listing pages, th
Page 284 and 285: Chapter 9 Writing a complete node a
Page 286 and 287: • Can this user bypass node acces
Page 288 and 289: Chapter 9 For our test module, we w
Page 290 and 291: Chapter 9 When hook_node_access_rec
Page 292 and 293: Chapter 9 A few things to consider
Page 294 and 295: Chapter 9 Security considerations T
Page 296 and 297: Chapter 9 Rebuilding the {node_acce
Page 298 and 299: Chapter 9 Using the new hook_node_a
Page 300 and 301: Chapter 9 We may alter any element
Page 302 and 303: Chapter 9 } // Check anonymous user
Page 304 and 305: Chapter 9 // Check the permission.
Page 306 and 307: Chapter 9 The key to Devel Node Acc
Page 308 and 309:
Chapter 9 In the preceding case, th
Page 310 and 311:
JavaScript in Drupal JavaScript is
Page 312 and 313:
Chapter 10 Adding JavaScript and CS
Page 314 and 315:
Chapter 10 When a JavaScript librar
Page 316 and 317:
The following code adds a system CS
Page 318 and 319:
Chapter 10 The second argument can
Page 320 and 321:
Chapter 10 From here onwards, when
Page 322 and 323:
Chapter 10 If a renderable array is
Page 324 and 325:
Chapter 10 Drupal specific JavaScri
Page 326 and 327:
Chapter 10 There are three ways var
Page 328 and 329:
Chapter 10 AJAX helpers Included in
Page 330 and 331:
The callback function hello_world_s
Page 332 and 333:
Chapter 10 Once the response is set
Page 334 and 335:
ajax_command_prepend To add content
Page 336 and 337:
Working with Files and Images Drupa
Page 338 and 339:
Chapter 11 It is very important tha
Page 340 and 341:
Chapter 11 In order to open files f
Page 342 and 343:
Chapter 11 Stream wrappers If you'v
Page 344 and 345:
Chapter 11 In some cases you may no
Page 346 and 347:
Chapter 11 A read-only stream wrapp
Page 348 and 349:
Chapter 11 } 'type' => STREAM_WRAPP
Page 350 and 351:
Chapter 11 For full details of thes
Page 352 and 353:
Chapter 11 After this setup, we sta
Page 354 and 355:
Chapter 11 This is all very cool, b
Page 356 and 357:
Chapter 11 This is where you can st
Page 358 and 359:
Chapter 11 • form callback: If yo
Page 360 and 361:
Chapter 11 Finally we can make the
Page 362 and 363:
Chapter 11 Pretty cool right? Howev
Page 364 and 365:
Chapter 11 As you can see, there is
Page 366 and 367:
Installation Profiles This chapter
Page 368 and 369:
Chapter 12 Profile modules and them
Page 370 and 371:
Enabling modules Just like modules
Page 372 and 373:
Chapter 12 • display_name: A huma
Page 374 and 375:
Next, let's create a form to enter
Page 376 and 377:
Chapter 12 Notice that $install_sta
Page 378 and 379:
Chapter 12 Here, the task that sets
Page 380 and 381:
Chapter 12 Each row being added to
Page 382 and 383:
Chapter 12 // URL filter. 'filter_u
Page 384 and 385:
Chapter 12 'locale' => 'en', ), //
Page 386 and 387:
Database Access Although Drupal 7 h
Page 388 and 389:
Appendix A Result objects The retur
Page 390 and 391:
Appendix A The join() methods all r
Page 392 and 393:
[ 369 ] Appendix A The db_insert()
Page 394 and 395:
Appendix A A Merge query says, in e
Page 396 and 397:
Appendix A Slave servers Drupal als
Page 398 and 399:
Security Throughout this book, we h
Page 400 and 401:
Filtering The following guidelines
Page 402 and 403:
First, whenever we write a query ag
Page 404:
Appendix B There are both RSS feeds
Page 407 and 408:
ajax_command_alert command 309 ajax
Page 409 and 410:
Drupal, subsytems blocks 20 code te
Page 411 and 412:
form handling 229 forms access chec
Page 413 and 414:
K key() method 371 L label property
Page 415 and 416:
evision handling 175 revisions hand
Page 417 and 418:
U unit test 49 update queries 370 u
Page 419 and 420:
Drupal 7 ISBN: 978-1-84951-286-2 Pa
show all

Drupal 7 Module Development

Create successful ePaper yourself

Delete template?

Save as template?