Insufficient or Incorrect Menu Access

The hook_menu examples you looked at in the last section show how to correctly use the access callback and access arguments attributes, but module developers do occasionally get these wrong. This has particularly been a problem in the upgrade from Drupal 5.x to 6.x, where the menu system changed a bit.

For 5.x, the menu definition would include the function and arguments for the path as a single array element for the access parameter:

'access' => user_access('uninstall plugins'),

As of Drupal 6.x, there are two significant changes:

First, menus no longer inherit security from a parent menu item, so they must be set explicitly. An addition to Drupal core early in the 6.x life cycle ensured that all menu items define their own access to secure against missing definitions.

■ Second, they are split apart from the one access element into the two elements for callback and arguments. A developer who doesn't pay close attention here is likely to make a mistake like this:

'access callback1 => user_access('uninstall plugins1),

Instead the code should be upgraded as:

'access arguments' => array('uninstall plugins1),

A quick search through the contributed modules on your site may reveal weaknesses like this. You can quickly check them by logging out of your site and then visiting the page defined by that menu item as an anonymous user or as a user with lower privileges than should be necessary for the item. If you gain access to the page when logged out, then it is a weakness. In Chapter 9, you will learn more about how to search for weaknesses, and in Chapter 10, you will see how to properly report them.

Was this article helpful?

0 0

Post a comment