Drupal 7 Module Development

Recommendations

Info

Security Throughout this book, we have repeatedly discussed the question of security. What makes good security practice? How do we make code more secure? How do we protect against common attacks? That's because security is not a feature to be bolted into a program. It is part and parcel of the development process itself. Nonetheless, because it is such an important subject this appendix will give an overview of the tools Drupal offers to help make code more secure, and the sorts of things to think about when writing code to ensure that our code is as secure as possible. It is by no means exhaustive; many books have been written exclusively on the subject of security. However, it should lay a strong foundation for approaching code writing in a secure fashion. Thinking securely Security is a process. Specifically, it is a development process. The most important aspect of security is how we approach the code that we are going to write. We need to "think securely" in order to write robust code. Although there are many aspects to thinking securely, it can be summed up as "think paranoid". The vast majority of input into our system is going to be sane and what we expect, not dangerous. However, there will always be that last 1% that is not at all what we expect. It could be someone deliberately trying to break into our website. It could be a spambot trying to find vulnerabilities so that it can turn our site into a billboard for fake proscription drugs. Alternatively, it could just be an honest user who entered input that we didn't anticipate and account for. All of these things will happen at some point during the life of a website or web application, and the best way to protect against them is to assume that any input is a suspected attack until we can verify otherwise.
Security Always assume that incoming data is insecure until and unless it's been processed to ensure that it is safe. Most security vulnerabilities come from not properly checking whether a piece of data is what we expect it to be. Remember also that there are many of types of input. • Any information coming from the user, either in the GET query or a POST request, is input and may be insecure. • Any cookies the user sends are input, and may be faked. • Any files read from disk are input, which may contain data we do not expect. Even if not malicious, unexpected data formats can pose a serious security risk. • Any data stored in a database that we didn't write to may be insecure. • Even data stored in Drupal's own database may be insecure, unless we know for certain that we cleaned it before saving it. Data does not have to be malicious in order to be a security threat. Also remember that our website may not be the target of an attack. A very common tactic is to post comments on a website that contains JavaScript that, when viewed, will take over a user's web browser or trick them into visiting another site that will download malicious code to their computer. Although our site is not harmed, it is still used as a way to attack another user. We don't want that. Filtering versus escaping There are two ways of dealing with potentially insecure data, namely, filtering and escaping. Filtering involves stripping out portions of the data that could be trouble, or forcing the data into a simpler, safer form. Common practice in PHP is to filter all input into the system unequivocally. Drupal takes a slightly different tactic, as for certain pieces of content, such as a node body, we may not know the proper format in advance. If a user changes a text format setting, for instance, we don't want the user's previous text to be lost, just filtered differently. Instead, we filter it on output. [ 376 ]
Page 1 and 2:
www.allitebooks.com
Page 3 and 4:
Drupal 7 Module Development Copyrig
Page 5 and 6:
Foreword Drupal has its roots in th
Page 7 and 8:
About the Authors Matt Butcher is a
Page 9 and 10:
Larry Garfield is a Senior Architec
Page 11 and 12:
John Albin Wilkins has been a web d
Page 13 and 14:
Jojodae Ganesh Sivaji has been invo
Page 15 and 16:
Why Subscribe? • Fully searchable
Page 17 and 18:
Table of Contents Tools for develop
Page 19 and 20:
Table of Contents A shortcut for sy
Page 21 and 22:
Table of Contents Using hook_node_a
Page 23 and 24:
Table of Contents Creating a task 3
Page 25 and 26:
Preface Chapter 5, Building an Admi
Page 27 and 28:
Preface The system for handling thi
Page 30 and 31:
Developing for Drupal 7 Drupal is a
Page 32 and 33:
However, what we do want to start w
Page 34 and 35:
The Operating System Chapter 1 Wind
Page 36 and 37:
Chapter 1 Drupal core is the founda
Page 38 and 39:
Chapter 1 The database We have take
Page 40 and 41:
Chapter 1 The responsibility of the
Page 42 and 43:
Chapter 1 While one could imagine t
Page 44 and 45:
Chapter 1 We assume that you have y
Page 46:
Chapter 1 The following are a few o
Page 49 and 50:
Creating Your First Module We are g
Page 51 and 52:
Creating Your First Module As obvio
Page 53 and 54:
Creating Your First Module By Drupa
Page 55 and 56:
Creating Your First Module The next
Page 57 and 58:
Creating Your First Module When Dru
Page 59 and 60:
Creating Your First Module Doxygen-
Page 61 and 62:
Creating Your First Module The help
Page 63 and 64:
Creating Your First Module Drupal s
Page 65 and 66:
Creating Your First Module Finally,
Page 67 and 68:
Creating Your First Module Here's o
Page 69 and 70:
Creating Your First Module ); } } r
Page 71 and 72:
Creating Your First Module Not in J
Page 73 and 74:
Creating Your First Module There ar
Page 75 and 76:
Creating Your First Module The exam
Page 77 and 78:
Creating Your First Module Setting
Page 79 and 80:
Creating Your First Module } ); pub
Page 81 and 82:
Creating Your First Module You migh
Page 83 and 84:
Creating Your First Module The repo
Page 85 and 86:
Drupal’s Theme Layer This book is
Page 87 and 88:
Drupal’s Theme Layer There are ac
Page 89 and 90:
Drupal’s Theme Layer Theme engine
Page 91 and 92:
Drupal’s Theme Layer Preprocess f
Page 93 and 94:
Drupal’s Theme Layer A Drupal the
Page 95 and 96:
Drupal’s Theme Layer The theme()
Page 97 and 98:
Drupal’s Theme Layer Now, if you
Page 99 and 100:
Drupal’s Theme Layer A similar pr
Page 101 and 102:
Drupal’s Theme Layer Now, that wa
Page 103 and 104:
Drupal’s Theme Layer • #suffix:
Page 105 and 106:
Drupal’s Theme Layer Two powerful
Page 107 and 108:
Drupal’s Theme Layer 'menu_tree__
Page 109 and 110:
Drupal’s Theme Layer If a functio
Page 111 and 112:
Drupal’s Theme Layer We've also s
Page 113 and 114:
Drupal’s Theme Layer Summary You'
Page 115 and 116:
Theming a Module After all, if you
Page 117 and 118:
Theming a Module * Enables a single
Page 119 and 120:
Theming a Module * First draft! * *
Page 121 and 122:
Theming a Module Theming a Drupal b
Page 123 and 124:
Theming a Module Converting a theme
Page 125 and 126:
Theming a Module if (is_array($elem
Page 127 and 128:
Theming a Module Notice that the .b
Page 129 and 130:
Theming a Module } $block['content'
Page 131 and 132:
Theming a Module } 'variables' => a
Page 133 and 134:
Theming a Module } // Theme the use
Page 135 and 136:
Theming a Module // Create links fo
Page 137 and 138:
Theming a Module } // Load the acco
Page 139 and 140:
Theming a Module * - $user: The use
Page 141 and 142:
Theming a Module Summary In this ch
Page 143 and 144:
Building an Admin Interface Startin
Page 145 and 146:
Building an Admin Interface $items[
Page 147 and 148:
Building an Admin Interface 'access
Page 149 and 150:
Building an Admin Interface Each ar
Page 151 and 152:
Building an Admin Interface Other p
Page 153 and 154:
Building an Admin Interface Each el
Page 155 and 156:
Building an Admin Interface Drupal
Page 157 and 158:
Building an Admin Interface This is
Page 159 and 160:
Building an Admin Interface Form su
Page 161 and 162:
Building an Admin Interface A short
Page 163 and 164:
Building an Admin Interface } retur
Page 165 and 166:
Building an Admin Interface PHP mai
Page 167 and 168:
Building an Admin Interface Impleme
Page 169 and 170:
Building an Admin Interface Debuggi
Page 171 and 172:
Building an Admin Interface This te
Page 174 and 175:
Working with Content Drupal 7 intro
Page 176 and 177:
Chapter 6 The Schema API allows dat
Page 178 and 179:
'fields' => array( 'aid' => array(
Page 180 and 181:
Chapter 6 'fieldable' => TRUE, 'ent
Page 182 and 183:
Chapter 6 The return value from the
Page 184 and 185:
Chapter 6 In our case, we defined t
Page 186 and 187:
Chapter 6 Most entity operations in
Page 188 and 189:
[ 165 ] Chapter 6 This callback sim
Page 190 and 191:
Chapter 6 This page will simply gen
Page 192 and 193:
Chapter 6 This hook defines a new f
Page 194 and 195:
Submit callback The submit callback
Page 196 and 197:
Chapter 6 // Save the initial revis
Page 198 and 199:
Chapter 6 Master/slave database con
Page 200 and 201:
Chapter 6 array($artwork->aid => $a
Page 202 and 203:
Chapter 6 'access arguments' => arr
Page 204 and 205:
Chapter 6 } foreach ($artworks as $
Page 206 and 207:
Creating New Fields In the last cha
Page 208 and 209:
Chapter 7 Although an advanced topi
Page 210 and 211:
Chapter 7 The most important magic
Page 212 and 213:
Chapter 7 } } '#type' => 'select',
Page 214 and 215:
Chapter 7 Exposing fields to the Fo
Page 216 and 217:
Chapter 7 $element['width'] = array
Page 218 and 219:
Chapter 7 if ($widget['type'] == 'd
Page 220 and 221:
Chapter 7 } return; 'field_ui_field
Page 222 and 223:
Chapter 7 } function theme_dimfield
Page 224 and 225:
Chapter 7 } '@height' => $item['hei
Page 226 and 227:
Chapter 7 } else if ($settings['uni
Page 228 and 229:
Chapter 7 We can, of course, have m
Page 230 and 231:
Chapter 7 To demonstrate how entity
Page 232 and 233:
[ 209 ] Chapter 7 Now look at that
Page 234 and 235:
Drupal Permissions and Security Per
Page 236 and 237:
Chapter 8 The preceding code checks
Page 238 and 239:
Chapter 8 If we had accidentally ru
Page 240 and 241:
Chapter 8 The user_access() functio
Page 242 and 243:
In the first case, Are we looking a
Page 244 and 245:
Chapter 8 Declaring your own access
Page 246 and 247:
} Chapter 8 'page callback' => 'exa
Page 248 and 249:
Chapter 8 if (!flood_is_allowed('co
Page 250 and 251:
[ 227 ] Chapter 8 Enabling permissi
Page 252 and 253:
Chapter 8 } $permissions = array( '
Page 254 and 255:
Chapter 8 This approach is the prop
Page 256 and 257:
Chapter 8 Running access checks on
Page 258 and 259:
Chapter 8 Handling AJAX callbacks s
Page 260 and 261:
Chapter 8 As a result, we cannot tr
Page 262 and 263:
Chapter 8 This allows us to pass a
Page 264 and 265:
Node Access Out-of-the-box, Drupal
Page 266 and 267:
Chapter 9 The Node Access API allow
Page 268 and 269:
* - "delete" * - "create" * @param
Page 270 and 271:
Chapter 9 if (!user_access('access
Page 272 and 273:
Chapter 9 } if (module_implements('
Page 274 and 275:
Chapter 9 hook_node_access() is the
Page 276 and 277:
Chapter 9 Note that the {node_acces
Page 278 and 279:
Chapter 9 The basic permission 'cre
Page 280 and 281:
Chapter 9 It is a good idea to writ
Page 282 and 283:
Chapter 9 On node listing pages, th
Page 284 and 285:
Chapter 9 Writing a complete node a
Page 286 and 287:
• Can this user bypass node acces
Page 288 and 289:
Chapter 9 For our test module, we w
Page 290 and 291:
Chapter 9 When hook_node_access_rec
Page 292 and 293:
Chapter 9 A few things to consider
Page 294 and 295:
Chapter 9 Security considerations T
Page 296 and 297:
Chapter 9 Rebuilding the {node_acce
Page 298 and 299:
Chapter 9 Using the new hook_node_a
Page 300 and 301:
Chapter 9 We may alter any element
Page 302 and 303:
Chapter 9 } // Check anonymous user
Page 304 and 305:
Chapter 9 // Check the permission.
Page 306 and 307:
Chapter 9 The key to Devel Node Acc
Page 308 and 309:
Chapter 9 In the preceding case, th
Page 310 and 311:
JavaScript in Drupal JavaScript is
Page 312 and 313:
Chapter 10 Adding JavaScript and CS
Page 314 and 315:
Chapter 10 When a JavaScript librar
Page 316 and 317:
The following code adds a system CS
Page 318 and 319:
Chapter 10 The second argument can
Page 320 and 321:
Chapter 10 From here onwards, when
Page 322 and 323:
Chapter 10 If a renderable array is
Page 324 and 325:
Chapter 10 Drupal specific JavaScri
Page 326 and 327:
Chapter 10 There are three ways var
Page 328 and 329:
Chapter 10 AJAX helpers Included in
Page 330 and 331:
The callback function hello_world_s
Page 332 and 333:
Chapter 10 Once the response is set
Page 334 and 335:
ajax_command_prepend To add content
Page 336 and 337:
Working with Files and Images Drupa
Page 338 and 339:
Chapter 11 It is very important tha
Page 340 and 341:
Chapter 11 In order to open files f
Page 342 and 343:
Chapter 11 Stream wrappers If you'v
Page 344 and 345:
Chapter 11 In some cases you may no
Page 346 and 347:
Chapter 11 A read-only stream wrapp
Page 348 and 349: Chapter 11 } 'type' => STREAM_WRAPP
Page 350 and 351: Chapter 11 For full details of thes
Page 352 and 353: Chapter 11 After this setup, we sta
Page 354 and 355: Chapter 11 This is all very cool, b
Page 356 and 357: Chapter 11 This is where you can st
Page 358 and 359: Chapter 11 • form callback: If yo
Page 360 and 361: Chapter 11 Finally we can make the
Page 362 and 363: Chapter 11 Pretty cool right? Howev
Page 364 and 365: Chapter 11 As you can see, there is
Page 366 and 367: Installation Profiles This chapter
Page 368 and 369: Chapter 12 Profile modules and them
Page 370 and 371: Enabling modules Just like modules
Page 372 and 373: Chapter 12 • display_name: A huma
Page 374 and 375: Next, let's create a form to enter
Page 376 and 377: Chapter 12 Notice that $install_sta
Page 378 and 379: Chapter 12 Here, the task that sets
Page 380 and 381: Chapter 12 Each row being added to
Page 382 and 383: Chapter 12 // URL filter. 'filter_u
Page 384 and 385: Chapter 12 'locale' => 'en', ), //
Page 386 and 387: Database Access Although Drupal 7 h
Page 388 and 389: Appendix A Result objects The retur
Page 390 and 391: Appendix A The join() methods all r
Page 392 and 393: [ 369 ] Appendix A The db_insert()
Page 394 and 395: Appendix A A Merge query says, in e
Page 396 and 397: Appendix A Slave servers Drupal als
Page 400 and 401: Filtering The following guidelines
Page 402 and 403: First, whenever we write a query ag
Page 404: Appendix B There are both RSS feeds
Page 407 and 408: ajax_command_alert command 309 ajax
Page 409 and 410: Drupal, subsytems blocks 20 code te
Page 411 and 412: form handling 229 forms access chec
Page 413 and 414: K key() method 371 L label property
Page 415 and 416: evision handling 175 revisions hand
Page 417 and 418: U unit test 49 update queries 370 u
Page 419 and 420: Drupal 7 ISBN: 978-1-84951-286-2 Pa
show all

Drupal 7 Module Development

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?