Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Drupl'Art suggests the following:
Consider $GLOBALS['user'] instead of global $user. [druplart_user]
The only explanation I have found [0]:
The global $user object is a source of security errors. Many a developer has accidentally overwritten or changed data on the global object, giving the current user more privileges than they deserve. Two simple patterns usually solve this problem: First, use $GLOBALS['user'] instead of $user. This simple change comes with a mindset that is read-only. Second, always name local variables that hold user data $account, never $user.
$GLOBALS['user'] is not read only, though. For instance, the following code modifies the user global:
// Modify global object: method 1.
$GLOBALS['user']->foo = 'bar';
// Modify global object: method 2.
$account = $GLOBALS['user'];
$account->foo = 'baz';
So, what is the value of this suggestion?
Comments
Comment #1
AohRveTPV CreditAttribution: AohRveTPV commentedComment #2
AohRveTPV CreditAttribution: AohRveTPV commentedI may see the purpose now: If you have a function that is working with a user object that is not the global user, you want to make sure it does not overwrite the global user.
Curious whether that is correct.
Comment #3
klausiCoder 7.x is frozen now and will not receive updates. Coder 8.x-2.x can be used to check code for any Drupal version, Coder 8.x-2.x also supports the phpcbf command to automatically fix conding standard errors. Please check if this issue is still relevant and reopen against that version if necessary.