Drupal 7 Module Development

Recommendations

Info

Chapter 9 The Node Access API allows modules to alter how the default Drupal CRUD workflow behaves. Normally, Drupal nodes are created by a single user. That user "owns" the node and, in most cases, may edit or delete the node at will. Some users, like the administrative user 1, may edit any node. But by default, Drupal has no concept of group ownership of nodes. Certain roles may be given permission to edit all nodes of a type (as shown by the core edit any Article content permission, for instance), but out of the box there is no provision for restricting access to view that content. The Node Access API evolved out of the need to define a flexible, extensible set of access rules. Much has improved in Drupal 7, so experienced developers will want to review this material carefully. Node Access permissions are checked in two instances: • When requests to act upon an individual node are made. • When database queries return lists of nodes that match given conditions. In order to handle node access securely, module developers need to be mindful of both cases. The first case is fairly simple, and is generally handled by a menu callback and the node_access() function. Unless your module intends to interfere with the normal handling of node_menu(), you may be able to skip the rest of this chapter. However, all module developers need to understand the impact of case two. Let's highlight it here. Any database query involving the {node} table must be built dynamically and be marked as a node access query. Failure to do so can introduce security vulnerabilities on sites running your code. To understand this rule, let's look at a simple example from Drupal core. The following query is found in node_page_default(), the function that provides the basic node listing page: $select = db_select('node', 'n') ->fields('n', array('nid')) ->condition('promote', 1) ->condition('status', 1) ->orderBy('sticky', 'DESC') ->orderBy('created', 'DESC') ->extend('PagerDefault') [ 243 ]
Node Access ->limit(variable_get('default_nodes_main', 10)) ->addTag('node_access'); $nids = $select->execute()->fetchCol(); This select statement uses Drupal 7's query builder to fetch a list of published nodes which have been promoted to the front page, ordered by "stickiness" and age. Notice, however, the final element of the query: ->addTag('node_access'). This directive invokes the node_query_node_access_alter() function which allows node access rules to be applied before the query is sent to the database. Failure to use the dynamic query builder and the node_access tag will mean that your select statement will bypass Drupal's built-in security features. Doing so may grant unwanted access to view, edit, or delete content by ignoring the permissions defined for the site. We won't go into the inner workings of node_query_node_access_alter() yet. Simply put, it ensures that any query to the {node} table properly enforces the node access rules defined for the site. Because of how this enforcement is handled, however, module developers have a near-infinite capacity to modify how Drupal handles access to nodes. The purpose of the rest of this chapter is to explain how this system is designed and the best ways for you to leverage the Node Access API to meet your specific needs. The node_access() function node_access() is the primary access callback for node operations. It is defined in node_menu() as the access callback for any attempt to create, view, edit or delete a node. The function itself is one of the more complex in Drupal core by virtue of the eight separate return statements within the function. Understanding the logic behind these returns is the key to using Node Access correctly. To begin, let's examine the documentation and initial lines of the node_access() function: /** * Determine whether the current user may perform the given operation * on the specified node. * * @param $op * The operation to be performed on the node. Possible values are: * - "view" * - "update" [ 244 ]
Page 1 and 2:
www.allitebooks.com
Page 3 and 4:
Drupal 7 Module Development Copyrig
Page 5 and 6:
Foreword Drupal has its roots in th
Page 7 and 8:
About the Authors Matt Butcher is a
Page 9 and 10:
Larry Garfield is a Senior Architec
Page 11 and 12:
John Albin Wilkins has been a web d
Page 13 and 14:
Jojodae Ganesh Sivaji has been invo
Page 15 and 16:
Why Subscribe? • Fully searchable
Page 17 and 18:
Table of Contents Tools for develop
Page 19 and 20:
Table of Contents A shortcut for sy
Page 21 and 22:
Table of Contents Using hook_node_a
Page 23 and 24:
Table of Contents Creating a task 3
Page 25 and 26:
Preface Chapter 5, Building an Admi
Page 27 and 28:
Preface The system for handling thi
Page 30 and 31:
Developing for Drupal 7 Drupal is a
Page 32 and 33:
However, what we do want to start w
Page 34 and 35:
The Operating System Chapter 1 Wind
Page 36 and 37:
Chapter 1 Drupal core is the founda
Page 38 and 39:
Chapter 1 The database We have take
Page 40 and 41:
Chapter 1 The responsibility of the
Page 42 and 43:
Chapter 1 While one could imagine t
Page 44 and 45:
Chapter 1 We assume that you have y
Page 46:
Chapter 1 The following are a few o
Page 49 and 50:
Creating Your First Module We are g
Page 51 and 52:
Creating Your First Module As obvio
Page 53 and 54:
Creating Your First Module By Drupa
Page 55 and 56:
Creating Your First Module The next
Page 57 and 58:
Creating Your First Module When Dru
Page 59 and 60:
Creating Your First Module Doxygen-
Page 61 and 62:
Creating Your First Module The help
Page 63 and 64:
Creating Your First Module Drupal s
Page 65 and 66:
Creating Your First Module Finally,
Page 67 and 68:
Creating Your First Module Here's o
Page 69 and 70:
Creating Your First Module ); } } r
Page 71 and 72:
Creating Your First Module Not in J
Page 73 and 74:
Creating Your First Module There ar
Page 75 and 76:
Creating Your First Module The exam
Page 77 and 78:
Creating Your First Module Setting
Page 79 and 80:
Creating Your First Module } ); pub
Page 81 and 82:
Creating Your First Module You migh
Page 83 and 84:
Creating Your First Module The repo
Page 85 and 86:
Drupal’s Theme Layer This book is
Page 87 and 88:
Drupal’s Theme Layer There are ac
Page 89 and 90:
Drupal’s Theme Layer Theme engine
Page 91 and 92:
Drupal’s Theme Layer Preprocess f
Page 93 and 94:
Drupal’s Theme Layer A Drupal the
Page 95 and 96:
Drupal’s Theme Layer The theme()
Page 97 and 98:
Drupal’s Theme Layer Now, if you
Page 99 and 100:
Drupal’s Theme Layer A similar pr
Page 101 and 102:
Drupal’s Theme Layer Now, that wa
Page 103 and 104:
Drupal’s Theme Layer • #suffix:
Page 105 and 106:
Drupal’s Theme Layer Two powerful
Page 107 and 108:
Drupal’s Theme Layer 'menu_tree__
Page 109 and 110:
Drupal’s Theme Layer If a functio
Page 111 and 112:
Drupal’s Theme Layer We've also s
Page 113 and 114:
Drupal’s Theme Layer Summary You'
Page 115 and 116:
Theming a Module After all, if you
Page 117 and 118:
Theming a Module * Enables a single
Page 119 and 120:
Theming a Module * First draft! * *
Page 121 and 122:
Theming a Module Theming a Drupal b
Page 123 and 124:
Theming a Module Converting a theme
Page 125 and 126:
Theming a Module if (is_array($elem
Page 127 and 128:
Theming a Module Notice that the .b
Page 129 and 130:
Theming a Module } $block['content'
Page 131 and 132:
Theming a Module } 'variables' => a
Page 133 and 134:
Theming a Module } // Theme the use
Page 135 and 136:
Theming a Module // Create links fo
Page 137 and 138:
Theming a Module } // Load the acco
Page 139 and 140:
Theming a Module * - $user: The use
Page 141 and 142:
Theming a Module Summary In this ch
Page 143 and 144:
Building an Admin Interface Startin
Page 145 and 146:
Building an Admin Interface $items[
Page 147 and 148:
Building an Admin Interface 'access
Page 149 and 150:
Building an Admin Interface Each ar
Page 151 and 152:
Building an Admin Interface Other p
Page 153 and 154:
Building an Admin Interface Each el
Page 155 and 156:
Building an Admin Interface Drupal
Page 157 and 158:
Building an Admin Interface This is
Page 159 and 160:
Building an Admin Interface Form su
Page 161 and 162:
Building an Admin Interface A short
Page 163 and 164:
Building an Admin Interface } retur
Page 165 and 166:
Building an Admin Interface PHP mai
Page 167 and 168:
Building an Admin Interface Impleme
Page 169 and 170:
Building an Admin Interface Debuggi
Page 171 and 172:
Building an Admin Interface This te
Page 174 and 175:
Working with Content Drupal 7 intro
Page 176 and 177:
Chapter 6 The Schema API allows dat
Page 178 and 179:
'fields' => array( 'aid' => array(
Page 180 and 181:
Chapter 6 'fieldable' => TRUE, 'ent
Page 182 and 183:
Chapter 6 The return value from the
Page 184 and 185:
Chapter 6 In our case, we defined t
Page 186 and 187:
Chapter 6 Most entity operations in
Page 188 and 189:
[ 165 ] Chapter 6 This callback sim
Page 190 and 191:
Chapter 6 This page will simply gen
Page 192 and 193:
Chapter 6 This hook defines a new f
Page 194 and 195:
Submit callback The submit callback
Page 196 and 197:
Chapter 6 // Save the initial revis
Page 198 and 199:
Chapter 6 Master/slave database con
Page 200 and 201:
Chapter 6 array($artwork->aid => $a
Page 202 and 203:
Chapter 6 'access arguments' => arr
Page 204 and 205:
Chapter 6 } foreach ($artworks as $
Page 206 and 207:
Creating New Fields In the last cha
Page 208 and 209:
Chapter 7 Although an advanced topi
Page 210 and 211:
Chapter 7 The most important magic
Page 212 and 213:
Chapter 7 } } '#type' => 'select',
Page 214 and 215:
Chapter 7 Exposing fields to the Fo
Page 216 and 217: Chapter 7 $element['width'] = array
Page 218 and 219: Chapter 7 if ($widget['type'] == 'd
Page 220 and 221: Chapter 7 } return; 'field_ui_field
Page 222 and 223: Chapter 7 } function theme_dimfield
Page 224 and 225: Chapter 7 } '@height' => $item['hei
Page 226 and 227: Chapter 7 } else if ($settings['uni
Page 228 and 229: Chapter 7 We can, of course, have m
Page 230 and 231: Chapter 7 To demonstrate how entity
Page 232 and 233: [ 209 ] Chapter 7 Now look at that
Page 234 and 235: Drupal Permissions and Security Per
Page 236 and 237: Chapter 8 The preceding code checks
Page 238 and 239: Chapter 8 If we had accidentally ru
Page 240 and 241: Chapter 8 The user_access() functio
Page 242 and 243: In the first case, Are we looking a
Page 244 and 245: Chapter 8 Declaring your own access
Page 246 and 247: } Chapter 8 'page callback' => 'exa
Page 248 and 249: Chapter 8 if (!flood_is_allowed('co
Page 250 and 251: [ 227 ] Chapter 8 Enabling permissi
Page 252 and 253: Chapter 8 } $permissions = array( '
Page 254 and 255: Chapter 8 This approach is the prop
Page 256 and 257: Chapter 8 Running access checks on
Page 258 and 259: Chapter 8 Handling AJAX callbacks s
Page 260 and 261: Chapter 8 As a result, we cannot tr
Page 262 and 263: Chapter 8 This allows us to pass a
Page 264 and 265: Node Access Out-of-the-box, Drupal
Page 268 and 269: * - "delete" * - "create" * @param
Page 270 and 271: Chapter 9 if (!user_access('access
Page 272 and 273: Chapter 9 } if (module_implements('
Page 274 and 275: Chapter 9 hook_node_access() is the
Page 276 and 277: Chapter 9 Note that the {node_acces
Page 278 and 279: Chapter 9 The basic permission 'cre
Page 280 and 281: Chapter 9 It is a good idea to writ
Page 282 and 283: Chapter 9 On node listing pages, th
Page 284 and 285: Chapter 9 Writing a complete node a
Page 286 and 287: • Can this user bypass node acces
Page 288 and 289: Chapter 9 For our test module, we w
Page 290 and 291: Chapter 9 When hook_node_access_rec
Page 292 and 293: Chapter 9 A few things to consider
Page 294 and 295: Chapter 9 Security considerations T
Page 296 and 297: Chapter 9 Rebuilding the {node_acce
Page 298 and 299: Chapter 9 Using the new hook_node_a
Page 300 and 301: Chapter 9 We may alter any element
Page 302 and 303: Chapter 9 } // Check anonymous user
Page 304 and 305: Chapter 9 // Check the permission.
Page 306 and 307: Chapter 9 The key to Devel Node Acc
Page 308 and 309: Chapter 9 In the preceding case, th
Page 310 and 311: JavaScript in Drupal JavaScript is
Page 312 and 313: Chapter 10 Adding JavaScript and CS
Page 314 and 315: Chapter 10 When a JavaScript librar
Page 316 and 317:
The following code adds a system CS
Page 318 and 319:
Chapter 10 The second argument can
Page 320 and 321:
Chapter 10 From here onwards, when
Page 322 and 323:
Chapter 10 If a renderable array is
Page 324 and 325:
Chapter 10 Drupal specific JavaScri
Page 326 and 327:
Chapter 10 There are three ways var
Page 328 and 329:
Chapter 10 AJAX helpers Included in
Page 330 and 331:
The callback function hello_world_s
Page 332 and 333:
Chapter 10 Once the response is set
Page 334 and 335:
ajax_command_prepend To add content
Page 336 and 337:
Working with Files and Images Drupa
Page 338 and 339:
Chapter 11 It is very important tha
Page 340 and 341:
Chapter 11 In order to open files f
Page 342 and 343:
Chapter 11 Stream wrappers If you'v
Page 344 and 345:
Chapter 11 In some cases you may no
Page 346 and 347:
Chapter 11 A read-only stream wrapp
Page 348 and 349:
Chapter 11 } 'type' => STREAM_WRAPP
Page 350 and 351:
Chapter 11 For full details of thes
Page 352 and 353:
Chapter 11 After this setup, we sta
Page 354 and 355:
Chapter 11 This is all very cool, b
Page 356 and 357:
Chapter 11 This is where you can st
Page 358 and 359:
Chapter 11 • form callback: If yo
Page 360 and 361:
Chapter 11 Finally we can make the
Page 362 and 363:
Chapter 11 Pretty cool right? Howev
Page 364 and 365:
Chapter 11 As you can see, there is
Page 366 and 367:
Installation Profiles This chapter
Page 368 and 369:
Chapter 12 Profile modules and them
Page 370 and 371:
Enabling modules Just like modules
Page 372 and 373:
Chapter 12 • display_name: A huma
Page 374 and 375:
Next, let's create a form to enter
Page 376 and 377:
Chapter 12 Notice that $install_sta
Page 378 and 379:
Chapter 12 Here, the task that sets
Page 380 and 381:
Chapter 12 Each row being added to
Page 382 and 383:
Chapter 12 // URL filter. 'filter_u
Page 384 and 385:
Chapter 12 'locale' => 'en', ), //
Page 386 and 387:
Database Access Although Drupal 7 h
Page 388 and 389:
Appendix A Result objects The retur
Page 390 and 391:
Appendix A The join() methods all r
Page 392 and 393:
[ 369 ] Appendix A The db_insert()
Page 394 and 395:
Appendix A A Merge query says, in e
Page 396 and 397:
Appendix A Slave servers Drupal als
Page 398 and 399:
Security Throughout this book, we h
Page 400 and 401:
Filtering The following guidelines
Page 402 and 403:
First, whenever we write a query ag
Page 404:
Appendix B There are both RSS feeds
Page 407 and 408:
ajax_command_alert command 309 ajax
Page 409 and 410:
Drupal, subsytems blocks 20 code te
Page 411 and 412:
form handling 229 forms access chec
Page 413 and 414:
K key() method 371 L label property
Page 415 and 416:
evision handling 175 revisions hand
Page 417 and 418:
U unit test 49 update queries 370 u
Page 419 and 420:
Drupal 7 ISBN: 978-1-84951-286-2 Pa
show all

Drupal 7 Module Development

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?