I've been adding lots of RPC services to the modules we use, so we can access them from an embedded client on a mobile device. Most of the calls we are adding correlate to Web page functionality offered by these modules through hook_menu. In trying to make sure the permissions are right, then, I've been trying to just use the same permissions for the RPC calls as the menu items use.

Most of them menu items use a simple "access" member which returns a boolean, evaluated when the menu is constructed. Many are just calls to user_access, and those can be implemented with the '#callback arguments' property to the service. But for those menu items that have something more complicated for their access property, it would be useful to be able to just copy this access property over to the equivalent RPC call.

I tried a simple implementation of this, but when hook_services is run, the user doesn't seem to be logged in fully yet, and so the calculated value for the access member is not right.

I haven't looked into this too deeply yet, but it would be useful if there were a simple way to use the same strategy for managing access control as hook_menu uses.

Comments

marcingy’s picture

marcingy commented
Assigned: Unassigned » marcingy
marcingy’s picture

marcingy commented
Status: Active » Postponed (maintainer needs more info)

The user isn't logged in until session_load is called. A handler does exist for custom access callbacks after this has happened

// Call default or custom access callback
  if (call_user_func_array($method['#access callback'], $access_arguments) != TRUE) {
    return services_error(t('Access denied.'));
  }

Not sure if this answers your question or not but you should be able to manipulate the access from this approach.

marcingy’s picture

marcingy commented
Status: Postponed (maintainer needs more info) » Closed (fixed)

closing as no follow up.