Option to disable drupal session saving
| Project: | Drake :: Drupal-CakePHP bridge |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | reviewed & tested by the community |
I might code this since it is simple. But I want to make sure my thinking is sound.
Currently drake attempts to save off the current drupal session. Which is going to be necessary for integrating pre existing cakephp applications. I am not interesting in doing that. I want to break out of drupal and use MVC for some more of the complex relationships I need to manage. Plus it gives me an opportunity to remain fairly independent of the CMS if in the future I want to move the application stand alone or what ever. Using drake limits some of the possibilities that drupal provides, but I think in the long run it will allow me to develop some applications a lot faster. But there are certain things I want drupal to handle at the moment. For example,
app/views/errors/missing_controller.thtml
<?php
drupal_access_denied();
exit();
?>or
In a controller:
function beforeFilter()
{
global $user;
if (in_array(!'Admin',$user->roles)) {
drupal_access_denied();
exit();
}
}If you do this your session is lost. But if you don't exit then you get content.
So I thinking you could set your app to:
define('AUTO_SESSION', false);And then not call:
_drake_dispatcher_initialize();and
_drake_dispatcher_finalize();respectively. We could just make it an admin option for each class, or actually just add it to the ini. Am I breaking any rules of good design?
#1
I second this.
I would take it a step further, however. Drake currently assumes that you are bridging to a Cake application that already exists on its own and lives somewhere in your apache web root. Seems like there are two kinds of applications that could be supported:
1. Stand-alone Cake app (current drake support). Strips html content and fixes paths for app URL and Drake URL, backs up drupal session, etc.
2. Integrated Cake module (no drake support). Could merge session data (i.e. don't destroy sessions), support different types of data (e.g. XML), doesn't need a cake URL.
#2
Yes, exactly, I am working on doing something in the second form you described. In fact I have been trying to creatively override functions to make my controller/model/view code function standalone. For example:
in app_controller.php:
<?phpfunction redirect($url, $status = null)
{
if(defined('DRAKE'))
{
$drakeCallable =& Drake::getInstance();
parent::redirect($drakeCallable->getUrl() . $url, $status);
exit;
} else {
parent::redirect($url, $status);
}
}
?>
So in the future I can remove the functionality if I want to. I am not claiming to be an expert at this, but I will post what I have once I have worked on it sufficiently. As for now I just commented at the session handling stuff, and have this in app_controller.php:
<?phpfunction beforeRender() {
if (!defined('DRAKE')) {
$this->log("We don't talk to you unless you are coming from drake.");
exit();
} else {
watchdog('drake','beforeRender'); // Just for testing..
}
}
?>
#3
Here's a patch for disabling. It accepts an additional drake.ini parameter `session`. Set to true|false whether or not you want to keep Drupal's session alive.
For my site, I have...
drake.ini:
session = trueFor Cake, I set AUTO_SESSION constant to false in app/config/core.php
Work's like a charm for me.
Note: This new session parameter in drake.ini is optional, making this patch backwards-compatible.
#4
patch missing
#5
patch missing
#6
Here's the patch...drupal.org was timing out for me earlier.
#7
As you can see I had timeout issues too.
Yep this patch works great. Basically what I have been doing but without the nice configuration. Thanks.
#8
Hi people, I've tried this patch to see if it helps what I'm trying to accomplish - which is to restrict access to drake according to the currently logged in drupal user role. But it doesn't quite work properly.
I have the following filter in my app_controller.php as well:
function beforeFilter(){
// Ensure this is the drupal administrator. No-one else is allowed in
global $user;
if (!isset($user)) {
exit();
}
if (!in_array('drake admin', $user->roles, true)) {
drupal_access_denied();
exit();
}
}
Firstly I get a swag of php warnings / errors at the top of every drake page (this is a small subset):
Warning (512): Duplicate entry '' for key 1query: UPDATE cl_sessions SET sid = '' WHERE sid = 'drake_f800fd4b98e54565cdf02a77d7abc636' [/home/.....]
Notice (8): Undefined index: q [/home/public_html/includes/path.inc, line 206]
Notice (8): Undefined index: q [/home/public_html/modules/block/block.module, line 665]
Notice (8): Undefined index: q [/home/public_html/modules/block/block.module, line 669]
Notice (8): Undefined index: value-type [/home/public_html/modules/views/views.module, line 972]
So in trying to remove those I set cakephp's debug level to 0, but then the app just presents a blank page at the /drake url. I believe this is a known bug, as the app homepage uses the debugger object:
http://www.mail-archive.com/cake-php@googlegroups.com/msg27353.html
So then in trying to get around that I used Drake's "Get a Drake URL" which gives me a url something like http://127.0.0.1/drake?run=%2Fcontroller.
I believe this is a gaping security hole because anyone can access a controller using that url and the beforeFilter() in my app_controller.php seems to have no effect. Both logged in and anonymous drupal users can get to the drake app using a url like that if they know or can guess the name of a controller.
Can someone help me out here? Am I going in the right direction or should I try a different approach?
#9
mr.j, did you ever figure out a solution? I'm embarking on a project where I'm using Drake and I will want only Drupal admins to be able to access the cakephp pages I'm building.
Anyone have any ideas?
Paul
#10
No I ended up implementing a simple cake-based authentication and divorced cake from drupal.
I don't actually use drake anymore.