Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Go through module by module, searching for cases where permissions are checked once before a menu callback is registered and again when the callback is activated, and consolidate these access checks. At the same time, refactor former _page and _admin hooks to multiple functions where it helps code legibility, and reduce the usage of arg() in favor of meaningfully-named callback parameters.
Comment | File | Size | Author |
---|---|---|---|
#32 | comment_3.patch | 91.17 KB | JonBob |
#29 | admin.patch | 1.18 KB | JonBob |
#27 | user-watchdog.patch | 143.02 KB | JonBob |
#26 | throttle-title-tracker.patch | 27.39 KB | JonBob |
#25 | comment-search-system-taxonomy.patch | 232.08 KB | JonBob |
Comments
Comment #1
JonBob CreditAttribution: JonBob commentedThe attached patch demonstrates the refactoring approach on statistics.module.
- The _admin() hook is removed.
- Usages of
to print titles have been replaced by proper drupal_set_title() calls.
- Many arg() usages dropped in favor of meaningful parameters.
- Doxygen comments standardized and expanded.
- Some grammatical corrections to help text.
- Broken /statistics page linked from page navigation restored.
- Fixed small bug in menu.inc pertaining to menu callbacks without arguments.
Please comment on and/or commit the patch before I work on more modules. If/when the patch is committed, reset status to "active" to await patches on more modules.
Comment #2
moshe weitzman CreditAttribution: moshe weitzman commentedgreat patch. here are 2 nits:
- a comment like 'implementation of the hook_help()' is not useful IMO. I'm not sure I like the text 'menu callback' sprinkled over various functions but it does communicate some non-obvious info, i suppose
- instead of:
case 'admin/logs/access':
case 'admin/logs/access/node':
case 'admin/logs/access/user':
case 'admin/logs/access/host':
use the following:
case strstr($section, 'admin/logs/access'):
Comment #3
JonBob CreditAttribution: JonBob commented- a comment like 'implementation of the hook_help()' is not useful IMO.
This comment is extremely useful for developers who are not intimately aware of what hooks exist. In addition, it adds a link in Doxygen to the specification of hook_help(), so this saves commenting what the heck the $section parameter does here; instead, you can just follow the link and read up on the hook usage.
- instead of:
case 'admin/logs/access':
case 'admin/logs/access/node':
case 'admin/logs/access/user':
case 'admin/logs/access/host':
use the following:
case strstr($section, 'admin/logs/access'):
Good point. Not my code, though. :-) Actually, now that I look at it, the last three cases will never be true, since the help system is activated only on exact path matches. Should this be extended to search for a registered menu item, as is done for page callbacks?
Comment #4
Dries CreditAttribution: Dries commentedGreat patch. Thanks JonBob. I committed it and set the status of this report to 'active' as per your request.
I'm not sure the help system itself should be expanded. I'll give it some thought, and encourage others to do the same. I also wonder when (and why/how) these help texts stopped working.
Keep it coming.
Comment #5
JonBob CreditAttribution: JonBob commentedSimilar improvements for story and blog modules.
Also fixes a bug in menu.inc's handling of MENU_FALLTHROUGH for denied-access parent items, made apparent by yesterday's statistics patch.
Comment #6
ax CreditAttribution: ax commentedthe "menu.inc's handling of MENU_FALLTHROUGH for denied-access parent items" bug fix unfortunately doesn't seem to fix the statistics.module: menu bug :(
Comment #7
ax CreditAttribution: ax commentedhm - and this is not all :( ... on a fresh install w/ forum.module enabled and anonymous users having "create forum topics" rights, i get this menu:
* forum topic
* recent posts
* external referrers only
* internal referrers only
where "forum topic" is "node/add/forum" and should be below "create content" - but latter doesn't appear at all.
these bugs make current CVS actually unusable. i had to rollback to before the configurable menus patch to make my site work properly.
Comment #8
JonBob CreditAttribution: JonBob commentedThe #1 patch in this thread introduced the problem with statistics.module; the "comment #5" patch (not yet applied to HEAD) fixes the underlying error in menu.inc. Are you seeing this bad behavior after applying the #5 patch yourself? I can not reproduce it here.
The "create forum topics" issue is that if a user has the "create forum topics" permission, you should also grant them the "create content" permission. My story and blog patches (also part of #5) change the "create" links to use MENU_FALLTHROUGH, which obviates the problem; a future patch will do the same for forum.module. Again, this relies on the menu.inc changes in the #5 patch.
Comment #9
ax CreditAttribution: ax commented> The #1 patch in this thread introduced the problem with
> statistics.module; the "comment #5" patch (not yet applied to HEAD)
> fixes the underlying error in menu.inc. Are you seeing this bad
> behavior after applying the #5 patch yourself?
yes - the patch doesn't seem to change anything. this is the menu my anonymous users get:
* forum topic [should be under "create content"]
* recent posts
* submission queue
* news aggregator
* external referrers only [should be visible at all]
* internal referrers only [should be visible at all]
my anonymous users have these right:
access comments, access content, access news feeds, access statistics, access submission queue, access user list, create forum topics, moderate comments, post comments, post comments without approval, search content, vote on polls
> I can not reproduce it here.
maybe you should try a fresh install as well.
> The "create forum topics" issue is that if a user has the "create
> forum topics" permission, you should also grant them the "create
> content" permission. My story and blog patches (also part of #5)
> change the "create" links to use MENU_FALLTHROUGH, which obviates the
> problem; a future patch will do the same for forum.module. Again,
> this relies on the menu.inc changes in the #5 patch.
there is no "create content" permission. even if there was, you cannot require the admin to check certain permissions to make the menu works properly.
Comment #10
JonBob CreditAttribution: JonBob commentedSorry for thinking you were on crack.
There is an off-by-one error that caused the "create content" menu item not to show up if the user could only create one kind of content. This is not a regression, but a previously-uncaught bug. The attached patch fixes this.
A typo in my bug fix for MENU_FALLTHROUGH caused the bad statistics.module behavior only when certain permissions were set, which is why I was unable to reproduce it.
The attached patch supersedes #5, which has not yet been applied.
Comment #11
Dries CreditAttribution: Dries commentedThe 'fall-through path' looks pretty complex to me. Do we really need this? WHy can't we pass the same handler twice?
Comment #12
Dries CreditAttribution: Dries commentedI committed your patch because it fixes important bugs, yet I'd like to re-evaluate the MENU_FALLTHROUGH code ...
Comment #13
JonBob CreditAttribution: JonBob commentedPatch for book, forum, page, and poll modules attached.
It is possible to not use fallthroughs, but note that there is a semantic difference between this and using the same handler multiple times.
For an example, take a look at the links made to statistics_top_refer(). In order to pass "internal" as a parameter to the function when accessing admin/logs/referrer/internal, this path is registered as a fallthrough. Without this approach, we either need separate functions for the internal and external logs, or the function needs to use arg() to inspect the path directly. The fallthrough allows us to encapsulate the menu structure entirely inside the _link() hooks, and remove knowledge of the paths from the callbacks.
Another approach would be to use a variation of http://drupal.org/node/view/5219 to pass an argument in explicitly.
I'm quite willing to investigate other approaches; there are only a few instances of MENU_FALLTHROUGH being used, and they are obviously easy to find and change later if desired. I still feel at this point that *not* re-registering the callback is most transparent; these links are really "shortcuts" to an already-defined page, not new pages themselves.
Comment #14
Dries CreditAttribution: Dries commentedCommitted to HEAD and marking this report 'active' again. Thanks again, JonBob.
I'll give the fall-through issue some more thought. There is nothing wrong with it, except that the menu system is getting quite complex (but powerful).
Comment #15
JonBob CreditAttribution: JonBob commentedPatch for admin, aggregator, archive, and block modules.
Comment #16
Dries CreditAttribution: Dries commentedCommitted. Once more, thanks again!
Comment #17
JonBob CreditAttribution: JonBob commentedPatch for blogapi and comment modules. The comment module will be done in multiple phases; it is a large and complex beast, and I want to be very careful (same for node.module when I get to that).
Comment #18
(not verified) CreditAttribution: commentedThe book.module patch introduced a $nid parameter to book_admin() where it had none before.
Comment #19
JonBob CreditAttribution: JonBob commentedYes, it does... the $nid parameter is passed in from the URL as part of the menu refactoring instead of using arg(). Is this causing an error somewhere? The next patch (after the blogapi one goes in) will add a default value of 0 for this parameter which should make it safe for backwards compatibility.
Comment #20
Dries CreditAttribution: Dries commentedI committed the blogapi.module part of your patch. I'd like to postpone the comment.module part a few days until the 'anonymous commenter' support has hit HEAD.
Comment #21
JonBob CreditAttribution: JonBob commentedPatch for drupal, filter, and help modules.
This patch also changes some punctuation from comments in earlier patches to better accommodate Doxygen's indexing, and adds a default to book_admin() as mentioned above.
Comment #22
Dries CreditAttribution: Dries commentedCommitted to HEAD. Thanks again.
Comment #23
JonBob CreditAttribution: JonBob commentedPatch for menu, path, and ping modules.
Comment #24
Dries CreditAttribution: Dries commentedCommitted to HEAD. Once again, thanks a bunch. Keep it coming Jonathan. :-)
Comment #25
JonBob CreditAttribution: JonBob commentedMore of the same.
Comment #26
JonBob CreditAttribution: JonBob commentedThree more. (This patch is independent of #25; they can be applied in either order.)
Comment #27
JonBob CreditAttribution: JonBob commentedUser and watchdog modules.
Comment #28
Dries CreditAttribution: Dries commentedCommitted to HEAD. I still have to commit the comment-search-system-taxonomy.patch one though. I'll get to that one soon.
Comment #29
JonBob CreditAttribution: JonBob commentedRegression fix due to interaction between admin.module and watchdog.module. Reported by Morbus.
Comment #30
Dries CreditAttribution: Dries commentedCommitted to HEAD. Thanks.
Comment #31
Dries CreditAttribution: Dries commentedComment #32
JonBob CreditAttribution: JonBob commentedUnapplied chunks of the patch, cleaned up and synced to current HEAD. Should be able to commit it now that anonymous comment support has landed.
Comment #33
Kjartan CreditAttribution: Kjartan commentedCommitted.
Comment #34
JonBob CreditAttribution: JonBob commentedWork on this is completed for now (at least until other menu work is concluded). Further work to be done in new issues.