Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Setting '#access' = FALSE
in #after_build
, only hides the element, it does not protect it from being posted. End user is still able to post data, i.e. manually alter the client-side code, insert <input type="text" id="edit-path-alias" name="path[alias]" value="" size="60" maxlength="255" class="form-text">
and post data.
Example:
The code below, sets Path Alias #access to FALSE, yet you're still able to post Path Alias by altering client-side code.
<?php
function mymodule_form_alter(&$form, &$form_state){
if (empty($form['type']['#value'])) return;
$form['#after_build'][] = 'mymodule_after_built';
}
function mymodule_after_built($form, &$form_state) {
$form['path']['#access'] = FALSE;
return ($form);
}
Comments
Comment #1
timofey CreditAttribution: timofey commentedComment #2
timofey CreditAttribution: timofey commentedComment #3
dokumori CreditAttribution: dokumori commentedIn form.inc, it says:
I tested this locally and can confirm a form element can indeed be injected by client using tools such as FireBug, but it is designed this way. If a user doesn't have the privilege to edit a field whose content s/he is trying to alter, it won't let her/him edit the field content by injecting the HTML form element (tested with Path module, as well as Field Permissions module) so I don't see any security risk here.
Comment #4
timofey CreditAttribution: timofey commentedOn the contrary, description on Forms API says:
To my knowledge, no other condition in which Form is set to
#access = FALSE
, allow code ejection on the client side by tools such as FireBug. For example, if you try setting#access = FALSE
inhook_node_alter()
ordrupal_get_form()
, it will not allow injections.#after_built
is the only condition that allows code ejection with#access = FALSE
.I'm setting this to active for another opinion.