Access checks and performance
Dave Reid - May 4, 2009 - 17:14
| Project: | High-performance JavaScript callback handler |
| Version: | 5.x-1.0 |
| Component: | Miscellaneous |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
First off, great idea! I'm investigating using the new js-style callbacks with my modules, but I had a question with the sentence on the project page "Please note that js.php does NOT perform access checks like Drupal's menu system. If required, each callback function needs to do this on its own.". So in order to run access checks like user_access() and to not be worried about things not being included, I'll have to load all modules. Now the performance savings are basically gone. How to you envision this working?
#1
Many modules implement their own access handling, not necessarily relying on user_access().
That said, you only need to load user.module for user_access().
btw, are you on the security team? If so, I could use some help getting a SA out...
#2
#3
Hey sorry sun, I lost track of this issue in my tracker. That makes sense about only loading user.module. For any modules that need to check node_access however, that's a different, need-to-include everything road. :/
And no, I'm not on the security team, although I applied to be a member about a month ago and haven't heard anything back.
#4
Sure, but even when node_access checks are required, then those are usually only required for certain JS callbacks, and, you only need to load node.module + 1-2 access modules - and not the 99 other modules and includes. ;) That's the sole purpose here :)
I was asking, because I have a completely rewritten version of this module here, but I can't (shouldn't) commit that stuff without co-ordination with the security team... bah. From the ~10 sites using this module, most probably, ~8 are our own.
#5
Automatically closed -- issue fixed for 2 weeks with no activity.