Integration with pageroute module
sbandyopadhyay - January 30, 2009 - 06:05
| Project: | User mailman register |
| Version: | 5.x-1.4 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs review |
Jump to:
Description
I needed to have the user's form exposed to pageroute, and it was relatively easy to do with this add-on right at the end of the module. (It can probably be roped off in a *.inc too, if desired.)
<?php
/**
* Pageroute integration
*/
/*
* Implementation of hook_form() and hook_form_submit() as wrapper functions
* TO DO: implement hook_form_validate() too
*/
function user_mailman_register_form($account=false) {
$form = _user_mailman_register_form($account);
$form['user_mailman_register']['uid'] = array(
'#type' => 'value',
'#value' => $account->uid,
);
return $form;
}
function user_mailman_register_form_submit($form_id, $form_values) {
$account = user_load(array('uid' => $form_values['uid']));
_user_mailman_register_subscribe($account, $form_values);
}
/*
* Implementation of hook_pageroute_info().
*/
function user_mailman_register_pageroute_info() {
return array(
'form_view' => array('name' => t('User Mailman Registrations'), 'base' => 'user_mailman_register', 'default_target' => PAGEROUTE_FORWARD),
);
}
/*
* Implementation of pageroutes' hook_page()
*/
function user_mailman_register_page_form_view($route, $page, $form) {
$account = user_load(array('uid' => pageroute_page_get_uid($page, 'access user_mailman_register')));
$form['page_form'] = array(
'#type' => 'subform',
'#id' => 'user_mailman_register_form',
'#arguments' => array($account),
'#data_separation' => FALSE,
);
return $form;
}
?>
#1
I don't know pageroute and if the drupal internal mechanism can manage it, but it seems to me that there could be a security issue with this patch.
<?php
function user_mailman_register_form($account=false) {
$form['user_mailman_register']['uid'] = array(
'#type' => 'value',
'#value' => $account->uid,
.....
function user_mailman_register_form_submit($form_id, $form_values) {
$account = user_load(array('uid' => $form_values['uid']));
....
function user_mailman_register_page_form_view($route, $page, $form) {
$account = user_load(array('uid' => pageroute_page_get_uid($page, 'access user_mailman_register')));
.....
?>
The user id value is retrivied by a form hidden value. In this way, if drupal does not perform additional validation, then every user with access 'user_mailman_register' permission could spoof it and change (or retrive the subscription status) of another user.
I'd like to have more info about this before including in the UMR release.