You are here

function hosting_task_menu_access_csrf in Hostmaster (Aegir) 6

Access callback helper for hosting task menu items.

Implemented as a helper function since we only want to validate the CSRF token when the user accesses a certain path, not when (for example) building the list of tasks a user has access to.

See also

hosting_task_menu_access()

1 string reference to 'hosting_task_menu_access_csrf'
hosting_task_menu in modules/hosting/task/hosting_task.module
Implementation of hook_menu().

File

modules/hosting/task/hosting_task.module, line 211
Web server node type is defined here.

Code

function hosting_task_menu_access_csrf($node, $task) {
  global $user;
  $interactive_tasks = array(
    'migrate',
    'clone',
  );

  // To prevent CSRF attacks, a unique token based upon user is used. Deny
  // access if the token is missing or invalid. We only do this on
  // non-interactive tasks.
  if (!in_array($task, $interactive_tasks) && (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], $user->uid))) {
    return FALSE;
  }

  // Call the main menu access handler.
  return hosting_task_menu_access($node, $task);
}