You are here

function hosting_task_menu_access_csrf in Hosting 7.4

Same name and namespace in other branches
  1. 6.2 task/hosting_task.module \hosting_task_menu_access_csrf()
  2. 7.3 task/hosting_task.module \hosting_task_menu_access_csrf()

Access callback helper for hosting task menu items.

Implemented as a helper function since we only want to validate the CSRF token when the user accesses a certain path, not when (for example) building the list of tasks a user has access to.

@arg $node object the node object we're trying to access

@arg $task string the task type we're trying to do on the $node

See also

hosting_task_menu_access()

1 string reference to 'hosting_task_menu_access_csrf'
hosting_task_menu in task/hosting_task.module
Implements hook_menu().

File

task/hosting_task.module, line 380
Web server node type is defined here.

Code

function hosting_task_menu_access_csrf($node, $task) {
  global $user;
  $interactive_tasks = array(
    'migrate',
    'clone',
  );

  // To prevent CSRF attacks, a unique token based upon user is used. Deny
  // access if the token is missing or invalid. We only do this on
  // non-interactive tasks.
  if (!in_array($task, $interactive_tasks) && (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], $user->uid))) {
    return FALSE;
  }

  // Call the main menu access handler.
  return hosting_task_menu_access($node, $task);
}