Many long nights spent on my site, and now I've started doing all sorts of security checks and stumbled upon the following:
www.mysite.com/node
That shows the latest x nodes that a user has access to. I DON't want this view visible to users. And I certainly don't want any other views similar to this available. So, my questions are:
How do I disable this view?
Are there other hidden views that I'm not aware of that an anonymous user can use to access several nodes at once?
You want to use hook_menu_alter() in a custom module to reroute what happens when someone tries to load the page at /node. There are two approaches.
First, you could give an unequivocal access denied:
function custom_module_menu_alter(&$items) {
$items['node']['access callback'] = FALSE;
}
Second, you could reroute the page to one of your choice:
function custom_module_menu_alter(&$items) {
$items['node']['page callback'] = 'custom_module_new_page_content';
}
function custom_module_new_page_content() {
return 'Go away!';
}
Other Listings
If you are worried about listings where users have access, the search results and tracker are the only other places that I can recall.
This comment provides the logic to unset whatever you want from the search results using a custom module.
Unfortunately the Tracker is not particularly customizable without direct hacks. Your best bet is to use one of the tracker replacements in contrib, or easier yet, modify the Tracker replacement that is packaged with the Views module.
EDIT: Clarification- you could also disable the Tracker module form the optional "core" modules. However, it is a very useful functionality so you might want to keep it around in some form.
As for disabling paths you found, I'd second Graysides suggestion of using hook_menu_alter to adjust the access callback.
As for other 'hidden' views, this depends a lot on the modules you use, as many modules add some default 'views' (in the sense of overview pages, not necessarily views module views). So instead of trying to find them indirectly here, I'd suggest to take a look at the menu_router table of your Drupal database. There you'll find all paths currently used by your instance (internal paths, not aliases, but all aliases map to an internal one).
One relatively simple way to do this that works is to turn on the Path module under core and alias /node to something else like /node/1 or whatever ..
Not sure about other urls that get you things you don't wanna see... i would think this technique would work for any you come across
function modulename_menu_alter(&$items) {
$items['node']['page callback'] = 'drupal_not_found';
}
Source: http://drupal.org/node/500296#comment-3532630
the "node" view is the default frontpage view. So it is usually the same tha appear on you're frontpage.
Related
I'm trying to understand how URL Mapping works. I've gone through numerous pages, but I can't seem to wrap my head around what I'm trying to do.
Its really simple, I use DataObjects as pages approach and I have a member extension written to the member class. And I have the typical actions, show, edit, add.
So if I go to www.mywebsite.com/members/show/1 I can see the first user. If I change show to edit, I can edit the first user. Now if I go to www.mywebsite.com/members/add I can create a new user. This is working all as expected due to the functionality I created in the add method.
My problem is in the fact that when you go any website, you don't register to the website by going to members/add, you register by going to website.com/Register or something similar. From code management perspective, it is a lot easier for me to leave the code the way it is now. I don't want to have to create a Register page and move the code there, instead I am trying to figure out if it is possible to go to www.mywebsite.com/Register and have it load www.mywebsite.com/members/add. I am not talking about a redirect link that would update the url, I want users to still see Register in the url and not see /members/add.
Vice versa, if users were to go to www.mywebsite.com/members/add I want the link to update to Register or say page not found.
Is this possible with Silverstripe Framework?
I am not 100% sure, but I believe this is called URL Masking.
This is very possible, firstly I'd advise that you look over...
silverstripe-memberprofiles
...because even if you dont' want to use an existing module I'm sure there would be useful information. There is a great example of "pure" routing (i.e. silverstripe no cms) that leads on to "nested" routes - which is what I think you are asking for, so I highly recommend reading the slides below and then the created todo app
silverstripe-framework-building-without-the-cms
todo app source
I'm trying to pragmatically set those 2 variables upon installing a site.
user_pictures (Disabling user pictures altogether)
user_register (allowing visitors to register without admin)
I'm using Features with strongarm but no luck. Even with the feature enabled the options are wrong in the account settings.
Setting the variable manually with a script doesn't do the trick either, although the options show the correct checkbox as ticked, I still have to to the page a click "save configuration" to confirm the setting.
This goes for maaany other variables I'm tryign to set, and I'm not sure if this is possible but it would be nice.
Thank you!
One solution which only solves part of my problem is to use Install profiles. The problem with those is that some variables still don't seem to take effect or work at all...
https://drupal.org/developing/distributions
https://drupal.org/project/profiler
It looks like this is the intended behavior of the features module, according to this old issue on drupal.org:
Say when developing a site, and set the settings at admin/user/settings for user_register. then you go live, later you decide to change the value, make a feature and strongarm that user_register variable then deploy that. The setting will still be in the database (as a variable), thus the feature is overridden.
The simplest solution is to not rely on features to set your variables on installation. It's much simpler to use hook_install anyway. I suppose we're only supposed to think of the Features module as a means of setting up or updating complicated configuration from the Features administration page, but not when the module itself is enabled or updated.
This will set the variables you describe for the example module:
function example_install() {
variable_set('user_pictures', 0);
variable_set('user_register', 1);
}
If other parts of your feature also aren't being set up correctly, perhaps you should try this instead:
function example_install() {
// This will only revert 'variable' features. Include additional features as needed.
features_revert(array('example' => array('variable')));
}
This is a strange one and not ideal, but basically we have a Drupal site that has been using the core comments module to allow authenticated users to post and view comments for a node. We are now needing to extend this so that unauthenticated users can also post comments, but not view them. Authenticated users would only have access to view comments by other authenticated users. Only admin users would have access to view all comments.
Is there a way of doing this? The permissions do not seem to permit this flexibility (access comments is required to give a user the form, but shows all approved comments).
I've looked into using some Drupal hooks, but as far as I could see there is only the hook_comment function that occurs after the comments have been retrieved (perhaps there is a good way of making use of this, but my mind has gone blank).
Any suggestions? I appreciate hiding comments from certain users but allowing them to post them is probably not best practice; however, I need to work with what we've already got.
I can think of a way to solve this problem, but it's not the prettiest solution.
Create a custom module with your own permissions.
Overwrite the standard theme function that's used to render the comments. You should have the comment object available, so it should be fairly easy to see if the comments is from the anonymous user or a registered user, and can check which comments the user should be able to see.
Now there's a few problems in this, as comments can be threaded, so in theory, it is possible that a comment in a thread will be missing causing confusion and possible other bugs.
But like I said, this is a quick and dirty fix, with what you got.
Can't you use the comment moderation queue to achieve exactly this? Check your settings for the comment module (at admin/content/comment).
You can set in your theme template.php whether you want anonymous users to view comments simply by doing a check on whether a user is logged in, and not showing the comment if they're not.
eg:
function mytheme_preprocess_comment(&$vars, $hook) {
global $user;
if (!$user->uid) {
unset($vars);
}
}
Then in your comment.tpl.php, at the top:
if ( isset($content) ) :
To check whether the comment has been unset, so that you don't render a whole lot of empty divs.
There's undoubtedly better ways to do this which involve using a hook to avoid loading up the comments at all for anon users, but this code will do the job without much work.
I have some nodes I am displaying in a view. They are displayed as nodes, unformatted. I would like the user to be able to choose from some predefined sort criteria ( via drop down list or similar).
So they could pick recently active, most commented, newest, etc., and re-query for new results.
Its easy with tables because you can make the labels clickable, but I do not know how to have similar functionality with a raw node preview display.
Just a thought, from me to me, and for anyone else who may be trying to do this.
An easy, sleezy option would be to just add another page view for each of the required sorts, and provide a link to these other views in the header of each of the pages.
This could also allow for (easier) linking to the individual sorts, so say if you have a sidebar block displaying recently commented nodes, you could adjust the .tpl.php of the block to have the title link to the view displaying the full set of recently commented nodes.
also im pretty sure there should be a way to do this with arguments, but i dont know how
Views 3 supports exposing sort order (just like you can expose filters)
Select the sort order (e.g. add sort by node creation date, then click on the settings for that), you should be able to expose the sort order to the end user. This is just like clicking on the settings for a filter and then choosing to expose it.
Standard views isn't going to support this, so IMO you're best off implementing a custom solution using just a plain old view and this jQuery plugin. You can either do this at the theme layer (the same way as any other JS in a theme) or a custom module (via drupal_add_js() to add the plugin and your bit of custom code). Either way will work, although the custom module has the obvious benefit of being theme independent (and thus more portable).
If you go the custom module route, please consider releasing it as a contrib module on http://drupal.org.
How can I categorize/organize the content types on my "Create content" page? I'm running Drupal 6.x with CCK. I have a lot of custom content types, and my "Create content" page has become a bit unwieldy, as it lists them all alphabetically. I'd like to organize them by category, so users would see something like:
Create Content
Reports
Report Type A
Report Type B
Events
Event Type A
Event Type B
I don't want to mess with Core, but anything else (custom module, theming, existing module functionality) is fair game. I'm hoping I'm missing something easy, because this seems like an obvious requirement, but all I could find on the Drupal site were these unanswered questions:
Organize Create Content Page
(node/add)
Core: Split create
content page into categories?
You should be able to accomplish this in a custom module, without hacking core.
You'll want to implement hook_menu_alter() to take over the callback function for node/add.
Something like
function mymodule_menu_alter(&$items) {
$items['node/add']['page callback'] = 'mymodule_node_add_page';
}
should get you started. You would then create the function mymodule_node_add_page, and you could use the original callback function as a starting point.
You can also do this at the theme level by overriding theme_node_add_list().
There are some different ways to attack this problem. You can overwrite the old form page or just create a new one with a custom module. Doing that you can in your module do whatever your want.
Another possibility is to do the same thing using views instead. Doing that gives you access to a lot of powerfull features, as you can do anything the views module lets you do. You can create different ways of sorting the content types.
I've heard of many who have used views to make a page like this for the create content page. Which method you choose is up to you, depending on how exactly you want to do this and the data you have associated with your content types, one will be more easy than the other. But without knowing the exact details, I can't say which. I would advise you to start out with views, since you quickly should be able to find out, if you can use it to get what you want.
there's a module that does what you are looking for, Content type groups
I created a sandbox module some time ago which was supposed to do this:
https://drupal.org/sandbox/YaronTal/1260038
The only problem is that I wasn't able to create the admin backend with draggable interface at the time.
I know the issue is old, but just in case someone else has the same problem...