如何使用 hook_menu_alter() 操作路径访问控制

发布于 2024-10-19 10:47:28 字数 654 浏览 5 评论 0原文

/**
 * Implementation of hook_menu_alter().
 */
function joke_menu_alter(&$callbacks) {
  // If the user does not have 'administer nodes' permission,
  // disable the joke menu item by setting its access callback to FALSE.
  if (!user_access('administer nodes')) {
    $callbacks['node/add/joke']['access callback'] = FALSE;
    // Must unset access arguments or Drupal will use user_access()
    // as a default access callback.
    unset($callbacks['node/add/joke']['access arguments']);
  }
}

以上功能来自drupal pro开发。我不太明白。为什么必须取消设置访问参数 (unset($callbacks['node/add/joke']['access argument']);)？

谢谢。

原文

/**
 * Implementation of hook_menu_alter().
 */
function joke_menu_alter(&$callbacks) {
  // If the user does not have 'administer nodes' permission,
  // disable the joke menu item by setting its access callback to FALSE.
  if (!user_access('administer nodes')) {
    $callbacks['node/add/joke']['access callback'] = FALSE;
    // Must unset access arguments or Drupal will use user_access()
    // as a default access callback.
    unset($callbacks['node/add/joke']['access arguments']);
  }
}

The above function is from the pro development drupal. I can't understand it well. Why must I unset the access arguments (unset($callbacks['node/add/joke']['access arguments']);)?

Thank you.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

鱼窥荷 2024-10-26 10:47:28

整个例子看起来很糟糕而且很糟糕。简而言之，一个笑话。首先，让我回答你的问题，然后我将继续解释为什么你不应该在实践中遵循这个例子。

来自 includes/menu.inc：

if (!isset($item['access callback']) && isset($item['access arguments'])) {
  // Default callback.
  $item['access callback'] = 'user_access';
}

当您不再需要访问回调时取消它们（毕竟现在依赖于布尔值）可以防止 Drupal 路由系统中过于聪明的逻辑在 中发生错误user_access() 只是为了让它有事可做。

现在，我们来看看为什么这是糟糕的代码。

hook_menu() 和 hook_menu_alter() 都在缓存清除时运行（更具体地说，当重建菜单路由系统时）。这意味着访问该站点以重建菜单的用户的权限将被硬编码到菜单路由行为中。这是一个非常糟糕且不一致的安排。

如果您想根据权限阻止对路径的访问，则需要将回调更改为将测试该权限的回调。然后，当重建菜单时，它将检查每个页面加载的新回调函数，以查看是否应授予当前用户权限。

一个简单的例子可能如下所示：

/**
 * Implementation of hook_menu_alter().
 */
function joke_menu_alter(&$items) {
  $items['node/add/joke']['access callback'] = 'user_access';
  $items['node/add/joke']['access arguments'] = array('administer nodes');
}

现在我们有一个函数，它采用节点/添加/笑话路径并声明唯一重要的是用户是否有管理节点 权限。当然，这比示例的明显意图要有限一些，示例是保留现有的访问控制，但也要求用户具有管理节点权限。

这也是可以修复的，但更复杂。借用 Spaces 项目的一些概念：

/**
 * Implementation of hook_menu_alter().
 */
function joke_menu_alter(&$items) {
  $path = 'node/add/joke';
  $items[$path]['access arguments'][] = $items[$path]['access callback'];
  $items[$path]['access callback'] = 'joke_menu_access';
}

function joke_menu_access() {
  $args = func_get_args();
  $access_callback = array_pop($args);
  $original_access = call_user_func_array($access_callback, $args);
  return $original_access && user_access('administer nodes');
}

我们已成功将原始访问回调包装在新的访问回调中，我们可以在其中添加我们需要任何额外的逻辑。

请注意，在最后两个函数示例中，我使用了 $path 变量来保持代码简单。我还将 $original_access 分离到它自己的行并首先检查它，实际上我会首先检查 user_access() 因为它几乎肯定会比在原始访问回调。

That entire example seems broken and bad. In short, a joke. First, let me answer your question, then I'll go on to explain why you shouldn't follow that example in practice.

From includes/menu.inc:

if (!isset($item['access callback']) && isset($item['access arguments'])) {
  // Default callback.
  $item['access callback'] = 'user_access';
}

Unsetting the access callbacks when you no longer need them (relying on a boolean now, after all) prevents the over-clever logic in Drupal's routing system from slapping in user_access() just so it has something to do.

Now, on to why that's bad code.

hook_menu() and hook_menu_alter() are both run on cache clear (more specifically when the menu routing system is rebuilt). This means that the permissions of whichever user hits the site to rebuild the menus will be hard-coded into menu routing behaviors. This is a very bad and inconsistent arrangement.

If you want to block access to a path based on a permission, you need to change the callback to something that will test for that permission. Then when the menu is rebuilt, it will check the new callback function per page load to see if the current user should be granted permission.

A simple example of this might look like:

/**
 * Implementation of hook_menu_alter().
 */
function joke_menu_alter(&$items) {
  $items['node/add/joke']['access callback'] = 'user_access';
  $items['node/add/joke']['access arguments'] = array('administer nodes');
}

Now we have a function which takes the node/add/joke path and declares that the only thing that matters is whether or not the user has administer nodes permission. Of course, that's a little more limited than the apparent intentions of the example, which were to preserve the existing access controls, but also require the user to have administer nodes permission.

That is also fixable, but is more complicated. To borrow some concepts from the Spaces project:

/**
 * Implementation of hook_menu_alter().
 */
function joke_menu_alter(&$items) {
  $path = 'node/add/joke';
  $items[$path]['access arguments'][] = $items[$path]['access callback'];
  $items[$path]['access callback'] = 'joke_menu_access';
}

function joke_menu_access() {
  $args = func_get_args();
  $access_callback = array_pop($args);
  $original_access = call_user_func_array($access_callback, $args);
  return $original_access && user_access('administer nodes');
}

We have successfully wrapped the original access callback in a new access callback, to which we can add whatever additional logic we need.

Note that in the last two function examples, I used the $path variable to keep the code simple. I also separated $original_access to it's own line and had it checked first, in practice I would check user_access() first as it would almost certainly be more performant than whatever happens in the original access callback.

回复收藏 0 原文