function autosave_save_access in Autosave 6.2

Same name and namespace in other branches

7.2 autosave.module \autosave_save_access()

Access callback for the form save menu callback.

For security reasons, we need to confirm that the user would have access to the page where the form lives in the first place. If they don't, they should not be able to access its saved version. We also check that the form's token is correct to avoid CSRF attacks.

Because the form data is not available to us, the only way we can access the path is by checking $_POST directly. Sux.

Return value

boolean True if this user should have access to save this form, false otherwise.

1 string reference to 'autosave_save_access'

autosave_menu in ./autosave.module: Implementation of hook_menu().

File

./autosave.module, line 60: Does background saves of node being edited.

Code

function autosave_save_access() {
  $path = trim($_POST['autosave_path'], '/');
  $menu_item = menu_get_item($path);
  $token = isset($_POST['form_token'], $_POST['form_id']) && drupal_valid_token($_POST['form_token'], $_POST['form_id']);
  $menu = isset($menu_item['access']) ? $menu_item['access'] : FALSE;
  return $token && $menu;
}

You are here

function autosave_save_access in Autosave 6.2

Return value

File

Code

API Navigation