How to prevent unauthorized url access in drupal?
I already tried 'access arguments' => array('access administration pages') but it didn't work
Its clearly given in the Drupal documentation on how to use the Access Arguments.This example is as per Drupal documentation,just to make it more clear for you on how to use this.
$items['test/myPage'] = array(
'title' => 'myPage',
'description' => 'Welcome',
'page callback' => 'mypage_info',
'access arguments' => array('Anyone can access this'),
);
//Define user permissions.
function hook_perm() {
return array('Anyone can access this');
}
Now go to the permissions page [Administer --> User Management -->Permissions), there you can see a list of strings you used for access arguments.You could find the access argument named 'Anyone can access this' in your corresponding module.Give the necessary permission for your required user roles.
You could get more information on the following links
https://drupal.org/node/553368
https://api.drupal.org/api/drupal/developer%21hooks%21core.php/function/hook_perm/6
Related
I'm not really sure what direction to go in.
I have a box on multiple pages that displays the status of various items. I want it easily update-able and would prefer it to be updated via a module. I'm not sure what direction to go in and just need a gentle push.
I have created a table in the drupal sql db but not sure how I would go about creating an admin tool in the drupal control panel to make changes to it.
Does anyone have any ideas of how I should go about this?
p.s. I'm using drupal 7
Custom admin pages can be defined as follows:
function mymodule_menu() {
$items['admin/def'] = array(
'page callback' => 'mymodule_abc_view',
'page arguments' => array(1, 'foo'),
'access arguments' => array('administer nodes'),
'title' => 'Foo settings',
'type' => MENU_NORMAL_ITEM,
);
return $items;
}
Where mymodule is the name of your module and mymodule_abc_view is the function that returns the markup for your admin page
I am developing a Drupal 7 module. I have created a table in the drupal database for that module directly in phpMyAdmin. I have set te permissions for that module to be viewed by authenticated users. The module works fine when I log in as an administrator. But it gives "access denied" when I log in as the authenticated user.
Anyone any suggestions how I can also give authenticated users access?
Thanks!
Probably, the issue is in the menu hook. Please check its access argument.
It should be something like this:
$items['abc-url'] = array(
'title' => 'Page abc',
'page callback' => 'page_abc',
'type' => MENU_CALLBACK,
'access arguments' => array('access abc'),
'file' => 'my_module.admin.inc',
);
Then you need to define it(in Drupal 7 like following):
function my_module_permission() {
return array(
'access abc' => array(
'title' => t('Access abc'),
'description' => t('This will provide permission to abc.'),
),
);
}
Then clear the cache, go to user permissions page & give authenticated user permission to "Access abc".
Hope this will help.
You need to add list of users to datatbase permission property whom you wants to allow access.
Check this link.
MySQL: Grant **all** privileges on database
I'm basically creating my own interface for choosing among different product options, in Drupal 7, using Ubercart.
I want to manually create an html form where I will be submitting post variables which represent the details of the product(s).
Is this something possible to do? Is there any documentation on this? I hope it's simple enough.
Create a custom module ( lets call it mymodule )
register a valid url where your html form can be accessed use hook_menu
$items['mymodule/submit'] = array(
'page callback' => 'mymodule_submit',
'access arguments' => array('access content'),
'type' => MENU_CALLBACK,
);
Now create the function mymodule_submit() in your module and use $_POST variable to check for values and act accordingly.
How can I look up the valid access arguments? I looked in menu_router, but I believe that only gives some of them.
$items['admin/page'] = array(
'access arguments' => array('access administration pages'),
);
Invoke hook_permission() across all modules:
$permissions = module_invoke_all('permission');
If I remember rightly array_keys($permissions) will then give you a list of valid permission machine names. The labels/descriptions/other settings for each permissions are in each individual array item.
Actually, you are interested to the values of the access arguments where the access callback is "user_access" (the default value); as a module can use a different access callback, the values for the access arguments can theoretically be infinite.
The alternative to invoking all the implementations of hook_permission() is to use code similar to the following one:
$permissions = array();
db_query("SELECT permission FROM {role_permission}");
foreach ($result as $row) {
$permissions[$row->permission] = TRUE;
}
array_keys($permissions) will then give you the list of all the permissions.
I took the query from user_role_permissions(); the difference is that the function is interested in the permissions associated to the role passed as argument.
1- Check a list of valid permissions at: /admin/people/permissions
2- Specify the permission in your menu hook:
function webforms_advanced_router_menu() {
$items['admin/config/mymodule'] = [
'title' => 'MyModule',
'page callback' => 'drupal_get_form',
'access callback' => '_mymodule_admin_form',
'access arguments' => array('administer site configuration'),
'type' => MENU_CALLBACK
];
return $items;
}
I'm creating an admin module for my client that gives them access to some administration functionality concerning their content. I'm starting off by adding some permissions in my module by implementing hook_perm:
function mymodule_perm()
{
return array(
'manage projects',
);
}
I can then create my menu by adding to the admin section that already exists:
function mymodule_menu()
{
$items['admin/projects'] = array(
'title' => 'Projects',
'description' => 'Manage your projects.',
'page callback' => 'manage_projects_overview',
'access callback' => 'user_access',
'access arguments' => array('manage projects'),
'type' => MENU_NORMAL_ITEM,
'weight' => -100,
);
$items['admin/projects/add'] = array(
'title' => 'Add project',
'access arguments' => array('manage projects'),
'page callback' => 'mymodule_projects_add',
'type' => MENU_NORMAL_ITEM,
'weight' => 1,
);
return $items;
}
This will add a Projects section to the Administration area with an Add project sub section. All good.
The behavior I want is that my client can only see the Projects section when they log in. I've accomplished this by ticking the "manage projects" permission for authenticated users in the permissions section of my module. Now to give my client actual access to the Administration area I also need to tick "access administration pages" under the "system module" in the users permissions section. This works great, when I log in as my client I can only see the Projects section in the Administration area. There is one thing though, In my Navigation menu shown on the left column I can see the following items:
- Administer
- Projects
- Content management
- Site building
- Site configuration
- User management
I was expecting only the see Administer and Projects items, not the other ones. When I click e.g. Content Management I get a Content Management titled page with no sub-sections. Same for Site Building, Site Configuration and User Management. What's really odd is that Reports is not being shown which is also a top level Administration section.
Why are these other items, besides my Projects section, being shown and how can I make them stop from appearing if I'm not logged in as an administrator?
Your problem is that they are allowed to view those pages.
From the system module's hook_menu:
$items['admin/build'] = array(
'title' => 'Site building',
'description' => 'Control how your site looks and feels.',
'position' => 'right',
'weight' => -10,
'page callback' => 'system_admin_menu_block_page',
'access arguments' => array('access administration pages'),
'file' => 'system.admin.inc',
);
So when you gave them access administration pages you gave them access to the site building section, but not any item in it. A quick way to solve this is to:
Use hook_menu_alter to change the access settings for those menu items to something they don't have access to. Either make your own perm or use an existing one.
You could also use your theme to just hide the items.
I'm not sure exactly why the menu router displays those. But I may be able to help...
Why don't you change your path to something like:
projects/add
projects/%/edit
This is similar to the node module's menu hook. It may not be exactly what you're looking for but if you don't want these user's having access to admin stuff it could be the right way.