Drupal 访问控制列表
为了确保我的网站安全并且所有权限设置正确,我正在寻找一种方法来生成特定用户有权访问的每个页面的列表。 (所以...每个菜单回调,其中 user_access() 对于给定的 uid 返回 TRUE)。
看起来像这样的东西:
$user->uid == 0
首页
照片
联系我们
$user->uid = 23
首页
照片
联系我们
论坛
博客
等
To make sure my site is secure and all the permissions are set correctly, I am looking for a way to generate a list of every page that a specific user has access to. (So... every menu callback where user_access() returns TRUE for a given uid).
Something that would look like this:
$user->uid == 0
Home
Photos
Contact Us
$user->uid = 23
Home
Photos
Contact Us
Forum
Blog
etc.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这在 Drupal 中实际上并不可行,因为从系统角度来看,没有真正的页面,只有带有参数的回调函数。为了澄清这一点,请考虑节点页面的标准路径:
这将接受 [nid] 的任意整数,然后
node/%路径的回调函数将尝试查找具有匹配 id 的节点- 只有在查找之后,Drupal 才“知道”该页面是否确实存在。对于所有其他路径也是如此,所以基本上您正在查看(几乎)无限数量的潜在页面,无法知道,无法测试路径,如果它们实际上“存在”或以 404 结束。
您可以做的是查看
menu_router表。在那里您将找到所有注册的路径,以及它们的回调和 access_callback 函数。对于那些,您可以对每个用户进行检查,但结果很难解释,因为路径很多并且包含许多占位符。如果您使用 URL-Aliases/pathauto,则存在类似的选项。然后,您可以获取
url_alias表并检查其中的所有条目。但由于您有兴趣保护您的网站,这不会真正有帮助,因为您会错过任何没有别名的路径 - 如上所述,这些路径是无数的。This is not really feasible in Drupal, as there are no real pages from a System perspective, only callback functions taking arguments. To clarify, think of the standard path for node pages:
This will accept an arbitrary integer for [nid] and then the callback function for the
node/%path will try to find a node with a matching id - it is only after looking for it that Drupal 'knows' if the page actually exists.The same is true for all other paths, so basically you are looking at an (almost) unlimited number of potential pages, with no way to know, short of testing the paths, if they actually 'exist' or end in a 404.
What you could do is taking a look at the
menu_routertable. There you'll find all the registered paths, along with their callback and access_callback functions. For those you could do the checking per user, but the result would be hard to interpret, as the paths are plenty and will contain many placeholders.A similar option exists if you use URL-Aliases/pathauto. Then you could take the
url_aliastable and do the check for all the entries in there. But since you are interested in securing your site, this will not really help, as you would miss any path that does not have an alias - and as said above, these are countless.