Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Sometimes you just want to keep things simple and not bother with a token -- this patch adds this callback type.
The callback functionality is what I expected out of the box from the rules_link module, but the way the rules_link module has been put together is fairly inflexible and needs some work if it's going to be used as a generalised solution for links and rules. There's a lot of things that don't work as advertised internally e.g. $entity_id being passed around but never used. Also using a URL like "cart/add" or "foobar/baz" will break the module, the URL must not have any slashes.
Comment | File | Size | Author |
---|---|---|---|
#2 | rules_link_callback.patch | 3.23 KB | aidanlis |
rules_link_callback.patch | 2.53 KB | aidanlis | |
Comments
Comment #1
BenK CreditAttribution: BenK commented+1 subscribing
Comment #2
aidanlis CreditAttribution: aidanlis commentedForgot the .admin in the patch.
Comment #3
fago>Sometimes you just want to keep things simple and not bother with a token -- this patch adds this callback type.
This would be a CSRF vulnerability, so I don't think it's a good idea ;)
Comment #4
aidanlis CreditAttribution: aidanlis commentedIt's not CSRF if the Rule's action is Safe and Idempotent [1], e.g. I want to advertise a special offer in the paper, where visiting http://example.com/specials/donut/ adds a donut to the cart, applies a discount, and redirects them to the checkout pane.
[1] http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
Comment #5
fagobut your example isn't idempotent - and most won't be.
Comment #6
aidanlis CreditAttribution: aidanlis commentedIt is idempotent, running it multiple times has no effect on the state of the users session (assuming you have an "empty cart" before hand).
Can you think of a better way to achieve what I want to do? I think it's a little silly to block functionality in a module because it could be abused ...
Comment #7
fagoYour described example adds something to the cart, so the cart isn't the same anymore afterwards. Thus it's not idempotent.
I don't see the problem with added tokens. Just make use of the helper function for outputting links - I suppose there is such a helper.. ;)
I'd suggest working on fixing that.
Comment #8
aidanlis CreditAttribution: aidanlis commentedA helper function isn't going to help me with my printed media ad though ...
... what about if I put a warning under "Callback" saying that this opens the door to CSRF attacks and should be used with caution?
Comment #9
spineless CreditAttribution: spineless commentedI am using your patch for the commerce add to cart feature.
http://drupal.org/node/823466
The article calls for the use of this patch. rules_link_callback.patch.
I was able to install the commerce add to cart patch however when I attempted to git the rules_link_callback.patch I did not do as well.
I could not find the following files in the rules module.
rules_link_admin.inc
rules_link.module
Here is the terminal window error message:
user@ubuntu11.04:~/website/sites/all/modules/rules$ git apply -v rules_link_callback.patch
rules_link_callback.patch:10: trailing whitespace.
'#options' => array('callback' => t('Callback'), 'javascript' => t('Javascript'), 'token' => t('Normal'), 'confirm' => t('Confirmation')),
rules_link_callback.patch:23: trailing whitespace.
function rules_link_trigger($rules_link) {
rules_link_callback.patch:28: trailing whitespace.
* Menu callback for callback links.
rules_link_callback.patch:29: trailing whitespace.
*/
rules_link_callback.patch:30: trailing whitespace.
function rules_link_trigger_callback($rules_link) {
Checking patch rules_link.admin.inc...
error: rules_link.admin.inc: No such file or directory
Checking patch rules_link.module...
error: rules_link.module: No such file or directory
user@ubuntu11.04:~/website/sites/all/modules/rules$
Any ideas what i did wrong?
Spineless
Comment #10
aidanlis CreditAttribution: aidanlis commented@spineless This is a patch to rules_link, not rules ...
@fago There's a clear use case for this, and although I agree we're violating GET idempotentcy on the first request I don't see any other way this could work - you can't deny the practical necessity. I don't mind forking your module into rules_simplelink, but I'd really like you to reconsider.
Comment #11
sepgil CreditAttribution: sepgil commentedI admit, there are uses cases were a simple callback would be usefull, but the amount of such use cases is small. Adding such a callback is to risky, and therefore I'm not willing to add it to my module.
Comment #12
fagoMaybe, making link-types pluggable would make sense?
Comment #13
aidanlis CreditAttribution: aidanlis commented@sepgil: ... I'm flabberghasted, but that's fine, I will make an alternative module.
We were hoping to use rules_link to build the Commerce equivalent of the Ubercart's Cart Links module - a module which had tens of thousands of users before it was integrated into Ubercart core - hardly a "small use case".
Comment #14
aidanlis CreditAttribution: aidanlis commentedNew module here, http://drupal.org/project/rules_linkevent ... will make clicking a link an event.
Comment #16
mitchell CreditAttribution: mitchell commentedWhoah!.. This is completely uncharacteristic in the Rules / Drupal ecosystems.
I've seen many opportunities for cooperation where one proposed solution needed to change from what the contributors and maintainers had originally intended. The issues went back and forth, a middle ground was discovered, and a productive direction was taken... and many users rejoiced. This is the type of thing which has made Rules great.
As a user, I really hope we'll figure out what can be done based on the points already made and, potentially, what can be merged from this fork. I'd be happy to help, but I hope this type of resistance will be seen for what it is, a mistake.
---
aidanlis: would fago's suggestion fit your needs? has Rules Link Event given you new insights about a callback link type?
fago: could you please explain more about what making link-types pluggable might allow and how it would look? and if possible, recommend a better solution than a CSRF-able plugin.
sepgil: same questions as ^ and a reminder to please "stand on the shoulders of giants" as we all say
spineless: error messages are a easier to read in txt files
all-contributors: thank you for your patience, commitment, and skill!
Comment #17
aidanlis CreditAttribution: aidanlis commented@mitchell Although I appreciate you putting some energy into this, all of your comments are superfluous. There's no extra insight needed and we all know what a pluggable architecture would look like. Suggesting that there exists a better solution than a CSRF-able plugin shows you don't understand a fundamental requirement (e.g. printed media).
Comment #18
mitchell CreditAttribution: mitchell commentedaidanlis, please take a moment to reflect on your tone. I'm trying to remain respectful, and I would appreciate it would read over the DCOC.
> Although I appreciate you putting some energy into this, all of your comments are superfluous.
If you're saying they're excessive, I'll admit they're a bit long. But unnecessary? Collaboration matters deeply here. I think you may be misjudging the situation. There are between 100k and 500k rules users and your project has created a lot confusion for them/us. And still, Rules users are still waiting for "a generalised solution for links and rules." I would like us to get back on track for that.
> There's no extra insight needed and we all know what a pluggable architecture would look like.
Here's what I want to find out: would it suit you? are you still interested in working on it?
> Suggesting that there exists a better solution than a CSRF-able plugin shows you don't understand a fundamental requirement (e.g. printed media).
I'm not a programmer, and I didn't suggest that. This issue clearly demonstrates the need to address the scenario described in #1553546: Encourage issue queue participants to clearly formulate the problem separately from proposed solutions. Our tools might let us down, but let's not let each other down.
Comment #18.0
mitchell CreditAttribution: mitchell commentedImproved the wording.