function hosting_task_menu_access_csrf in Hostmaster (Aegir) 6
Access callback helper for hosting task menu items.
Implemented as a helper function since we only want to validate the CSRF token when the user accesses a certain path, not when (for example) building the list of tasks a user has access to.
See also
1 string reference to 'hosting_task_menu_access_csrf'
- hosting_task_menu in modules/
hosting/ task/ hosting_task.module - Implementation of hook_menu().
File
- modules/
hosting/ task/ hosting_task.module, line 211 - Web server node type is defined here.
Code
function hosting_task_menu_access_csrf($node, $task) {
global $user;
$interactive_tasks = array(
'migrate',
'clone',
);
// To prevent CSRF attacks, a unique token based upon user is used. Deny
// access if the token is missing or invalid. We only do this on
// non-interactive tasks.
if (!in_array($task, $interactive_tasks) && (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], $user->uid))) {
return FALSE;
}
// Call the main menu access handler.
return hosting_task_menu_access($node, $task);
}