Validate posts in Drupal - some notes

- 
  * Generates and validates CSRF tokens.
The generated token is based on the session ID of the current user. Normally,
anonymous users do not have a session, so the generated token will be different on every page request. To generate a token for users without a session, manually start a session






 // You can validate POST by testing token.
  $token = drupal_get_hash_salt();


if($form_state['values']['token'] != md5($token)) {


drupal_access_denied();


}






We can check the HTTP origin header to validate the origin. The idea is to get the $_SERVER['HTTP_ORIGIN'] header in the request and after validation send the Access-Control-Allow-Origin in the response. 


Example code taken from 


https://github.com/systemseed/services_accept_origin/blob/7.x-1.x/services_accept_origin.inc












  $whitelist = explode("\n", $settings['whitelist']);  
  $origin = !empty($_SERVER['HTTP_ORIGIN']) ? $_SERVER['HTTP_ORIGIN'] : FALSE;


  $origin_is_whitelisted = FALSE;




  // No ORIGIN header and should let it pass


  if (!$origin && $settings['no_origin_policy']) {


    $origin_is_whitelisted = TRUE;


    $origin = '*';


  }




  // Check for wildcard, if found, let all through


  elseif (strpos($settings['whitelist'], '*') !== FALSE) {


    $origin_is_whitelisted = TRUE;


  }




  // Loop through whitelist and compare origin


  else {


    // Determine if the domain is whitelisted, compensates


    // for traling slashs and stuff


    foreach ($whitelist as $domain) {


      if (strpos($domain, $origin) === 0) {


        $origin_is_whitelisted = TRUE;


        break;


      }


    }


  }




  // Send headers and let request through since we got


  // an origin and it's in the list


  if ($origin_is_whitelisted) {


    drupal_add_http_header('Access-Control-Allow-Origin', $origin);


  }


  // Deny access


  else {


    return t('Unauthorized origin.');


  }
















































Comments











Post a Comment



















Popular posts from this blog









Programatically create layout builder section in Drupal






-















 A sample script which can create a one column layout and store body field in it.   namespace Drupal\custommodule\Controller;   use Drupal\Core\Controller\ControllerBase;  use Drupal\layout_builder\Section;  use Drupal\layout_builder\SectionComponent;  use Drupal\node\Entity\Node;  use Drupal\block\Entity\Block;  use Drupal\block_content\Entity\BlockContent;  use Drupal\layout_builder\Entity;   $entity = Node::load(10);      $section = new Section('layout_onecol');      $uuid = $entity->uuid();      $region = 'content';      $pluginConfiguration = [          'id' => 'field_block:node:article:body',          'provider' => 'layout_builder',          'label_display' => FALSE,          'view_mode' => 'default',          'entity' => $entity->id(),          'context_mapping' => [          ...








Read more










Code quality analysis of Drupal. Can I use Sonar?






-















   For better understanding:  https://docs.acquia.com/article/tools-analyzing-your-drupal-codebase   Following artcle my experience with Sonar and  Drupal.     https://docs.sonarqube.org/display/PLUG/SonarPHP has following number of rules.     Sonarway (for PHP) has following number of rules     1. Bug:15   2. Vulnerability:3   3. Code smell:45     Drupal has following number of rules   1. Bug: 3   2. Vulnerability: 0   3. Code smell: 10     Its possible that you can define following inheritance in Quality profile.     For example:   Sonarway=>Drupal     Drupal uses PHPCodeSniffer (Drupal standards) or Coder to verify its coding standards. Both of them dont have integration with Sonar.    3. Sonar comes up with some Drupal Coding Standards. But is is not same as what we do in PHPCodeSniffer and Coder.   4. It's still better to fix critical / blocker issues from Sonar Way and Drupal Quality profiles.   Its best to use PHPCodeSniffer with Drupal standards and  some repor...








Read more










Set up Drupal7 to Drupal8 migration in simple steps (using Drush)






-















  Step1:  Download Drupal8 and its dependencies using composer   Note:  Drush8 is needed for migrate_upgrade module to execute. migrate_upgrade is not working with Drush9.   >sudo composer create-project drupal-composer/drupal-project:~8.4 migrate843 --stability dev --no-interaction   This will install drush and drupal-console   Reference:  https://www.drupal.org/docs/develop/using-composer/using-composer-to-manage-drupal-site-dependencies   Step2:  Install Drupal using Drush   > sudo ../vendor/bin/drush site-install --db-url=mysql://username:password@host/dbname   Step3:  Enable migration related modules  drush en migrate  drush en migrate_drupal  drush en migrate_tools  drush en migrate_plus  drush en migrate_upgrade   Step4:  Now run the migration.  -- configure - only  option, which instead of running the migration will generate migration configuration entities, which may then be edited to customize the migration path and run using the  migrate_tools module   ...








Read more