I needed to have the user's form exposed to pageroute, and it was relatively easy to do with this add-on right at the end of the module. (It can probably be roped off in a *.inc too, if desired.)

/**
 * Pageroute integration
 */

/*
 * Implementation of hook_form() and hook_form_submit() as wrapper functions
 * TO DO: implement hook_form_validate() too
 */
function user_mailman_register_form($account=false) {
  $form = _user_mailman_register_form($account);
  $form['user_mailman_register']['uid'] = array(
    '#type' => 'value',
    '#value' => $account->uid,
  );
  return $form;
}

function user_mailman_register_form_submit($form_id, $form_values) {
  $account = user_load(array('uid' => $form_values['uid']));
  _user_mailman_register_subscribe($account, $form_values);
}

/*
 * Implementation of hook_pageroute_info().
 */
function user_mailman_register_pageroute_info() {
  return array(
    'form_view' => array('name' => t('User Mailman Registrations'), 'base' => 'user_mailman_register', 'default_target' => PAGEROUTE_FORWARD),
  );
}

/*
 * Implementation of pageroutes' hook_page()
 */
function user_mailman_register_page_form_view($route, $page, $form) {
  $account = user_load(array('uid' => pageroute_page_get_uid($page, 'access user_mailman_register')));
  $form['page_form'] = array(
    '#type' => 'subform',
    '#id' => 'user_mailman_register_form',
    '#arguments' => array($account),
    '#data_separation' => FALSE,
  );
  return $form;
}

Comments

samuelet’s picture

samuelet commented

I don't know pageroute and if the drupal internal mechanism can manage it, but it seems to me that there could be a security issue with this patch.

function user_mailman_register_form($account=false) {
  $form['user_mailman_register']['uid'] = array(
    '#type' => 'value',
    '#value' => $account->uid,
.....
function user_mailman_register_form_submit($form_id, $form_values) {
  $account = user_load(array('uid' => $form_values['uid']));

....
function user_mailman_register_page_form_view($route, $page, $form) {
  $account = user_load(array('uid' => pageroute_page_get_uid($page, 'access user_mailman_register')));
.....

The user id value is retrivied by a form hidden value. In this way, if drupal does not perform additional validation, then every user with access 'user_mailman_register' permission could spoof it and change (or retrive the subscription status) of another user.
I'd like to have more info about this before including in the UMR release.

rjlang’s picture

rjlang commented
Status: Needs review » Closed (outdated)

Sorry, no further changes will happen on versions 5.x and 6.x.