开发者

Drupal - Security check all site paths by role

问答 作者:

I'm writing this in the forlorn hope that someone has already done something similar. I would have posted on drupal.org - but that site is about as user-friendly as a kick in the tomatoes.

I don't know about you, but when I develop I leave all my Drupal paths with open access, and then think about locking them down with access permissions at the end.

What would be be really useful is a module which parses all the paths available (by basically deconstructing the contents of the menu_router table) and then trying them (curl?) in turn whilst logged-in as a given user with a given set of roles.

The output would be a simple html page saying which paths are accessible and which are not.

I'm almost resigned to doing this myself, but if anyone knows of anything vaguely similar I'd be more than grateful 开发者_运维技巧to hear about it.

Cheers

UPDATE

Following a great idea from Yorirou, I knocked together a simple module to provide the output I was looking for.

You can get the code here: http://github.com/hymanroth/Path-Lockdown

My first attempt would be a function like this:

function check_paths($uid) {
  global $user;
  $origuser = $user;
  $user = user_load($uid);

  $paths = array();
  foreach(array_keys(module_invoke_all('menu')) as $path) {
    $result = menu_execute_active_handler($path);
    if($result != MENU_ACCESS_DENIED && $result != MENU_NOT_FOUND) {
      $paths[$path] = TRUE;
    }
    else {
      $paths[$path] = FALSE;
    }
  }

  $user = $origuser;

  return $paths;
}

This is good for a first time, but it can't handle wildcard paths (% in the menu path). Loading all possible values can be an option, but it doesn't work in all cases. For instance, if you have %node for example, then you can use node_load, but if you have just %, then you have no idea what to load. Also, it is a common practice to omit the last argument, which is a variable, in order to correctly handle if no argument is given (eg. display all elements).

Also, it might be a good idea to integrate this solution with the Drupal's testing system.

I did a bit of research and wasn't able to find anything. Though I'm inclined to think there is a way to check path access through Drupal API as opposed to CURL - but please keep me updated on your progress / let me know if you would like help developing. This would a great addition to the Drupal modules.

继续阅读:drupalsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9