4.5. Common Mistakes with Users and Permissions

Now that you understand how to create and check permissions properly, let's look at some common mistakes related to permissions. Many of the problems that exist in Drupal are commonly repeated mistakes. Sometimes the code is simply copied from one module to another. In other cases people make the same incorrect assumptions about the way the code works. By highlighting these common mistakes, it should be easier for you to avoid both these examples and other problems in other situations:

  • You will learn about a common mistake in creating menu items and upgrading modules from Drupal 5.x to 6.x.

  • You'll learn about how improper use of the permission system can lead to improper configurations of a site.

  • You'll learn about a common mistake with the function for sending users an access-denied page.

  • You'll see how Drupal code can perform actions as different users without accidentally creating a privilege escalation.

4.5.1. Insufficient or Incorrect Menu Access

The hook_menu examples you looked at in the last section show how to correctly use the access callback and access arguments attributes, but module developers do occasionally get these wrong. This has particularly been a problem in the upgrade from Drupal 5.x to 6.x, where the menu system changed a bit.

For 5.x, the menu definition would include the function and arguments for the path as a single array element for the access parameter:

'access' => user_access('uninstall plugins'),

As of ...

Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.