Geekly Articles each Day
📜 ⬆️ ⬇️

Secure code in Drupal: Cross-site request forgery



(P2. Work with the database ; P3. Work with user input )

The reason for writing this article was the finding of my vulnerability in one fairly well-known module. Since, according to the rules for detecting vulnerabilities , I still have no right to talk about the details, I’ll tell you about vulnerabilities in general terms, as well as about how to deal with them.
')
So, cross-site request forgery (eng. ross Site Request Forgery, or CSRF for short): what it is and what it is eaten with.

CSRF is a type of attack on website visitors that uses the disadvantages of the HTTP protocol. If the victim enters the site created by the attacker, a request is secretly sent to another server (for example, to the payment system server), performing some kind of malicious operation (for example, transferring money to the attacker's account). To carry out this attack, the victim must be authorized on the server to which the request is sent, and this request should not require any confirmation from the user.

This type of attack, contrary to popular misconception, appeared quite a long time ago: the first theoretical discourse appeared in 1988, and the first vulnerabilities were discovered in 2000.

One of the applications of the CSRF is the operation of passive XSS detected on another server. It is also possible to send spam on behalf of the victim and change any account settings on other sites (for example, a secret question for password recovery).

Living example



For example, we need to make a small module that should remove nodes from the Ajax. This can be realized by the service reference of the node, when clicked, the Ajax request is sent to the Drupal path. A handler is attached to this path, which deletes the node. That's about this module and everything is done:

node_destroy.module


  1. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  2. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  3. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  4. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  5. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  6. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  7. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  8. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  9. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  10. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  11. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  13. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  14. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  15. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  16. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  17. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  18. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  19. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  20. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  21. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  22. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  23. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  24. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  26. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  27. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  28. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  29. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  30. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  31. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  32. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  33. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  34. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  35. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  37. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  38. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  39. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  40. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  41. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  42. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  43. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  44. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  45. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }
  46. /** * hook_menu(). . */ function node_destroy_menu() { $menu [ 'node/%node/destroy' ] = array ( 'page_callback' => 'node_destroy' , 'page_arguments' => array (1), 'access_arguments' => array ( 'administer nodes' ), 'type' => MENU_CALLBACK, ); } /** * . */ function node_destroy( $node ) { if ( $node ->nid) { node_delete( $node ->nid); print ( 'SUCCESS' ); } // , // exit (); } /** * hook_link(). . */ function node_destroy_link( $type , $node = NULL, $teaser = FALSE) { switch ( $type ) { case 'node' : // , , // , $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js( $path . '/node_destroy.js' ); // , $links [ 'node_destroy' ] = array ( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array ( 'class' => 'node_destroy_link' ), ); break ; } return $links ; }


node_destroy.js


  1. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  2. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  3. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  4. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  5. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  6. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  7. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  8. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  9. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  10. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  11. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  12. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  13. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  14. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  15. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  16. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  17. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  18. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }
  19. // // $(document).ready(function() { ... }) Drupal.behaviors.node_destroy = function (context) { // . // . . $( '.node_destroy_link:not(.processed)' , context).addClass( 'processed' ).click( function (){ href = $( this ).attr( 'href' ); $.ajax({ type: "GET" , url: href, success: function (result){ // SUCCESS , if (result != 'SUCCESS' ) { alert( 'Error' ); } } }); }); }


And everything would be fine, but one sunny day, an evil troll comes to the site ... Or a more vital situation - an embittered former employee comes to the site and tries to break it. Remembering the old experience, he tries to go to site.ru/node/123/destroy site.ru/node/123/destroy , but receives a turn from the gate, since it no longer has the right to delete materials.

And here, in a fit of destructive creative, he creates a node with the following content:
<img src="http://site.ru/node/123/destroy" />

What happens at this moment? Naturally, no picture will be loaded, but the troll browser will execute a request for this path with the same result.

Resigned to failure, the troll leaves the site. A day later, the site administrator notices this garbage node, enters it and deletes it. And having returned to the list of materials, he does not find in it a node with 123 123. The attack was a success. A curtain.

For those who do not understand, when the administrator went to the node, his browser also rushed to the image link. But there was already enough access rights, and the node was successfully deleted, and the admin did not even notice anything.


How to avoid CSRF vulnerabilities?



The answer is to use unique links for data modification actions. How is this possible? Drupal uses the method of tokenization of links. This means that a unique parameter is added to the active link, which is checked during the execution of the action itself. In drupal, you can generate such a parameter using the drupal_get_token () function. Check - drupal_valid_token () . The token is generated based on the value supplied, the user session, and the site's private key, which practically reduces to zero the probability of the pest generating a correct token.

We will make changes to our module. Let's start with setting the correct link:

  1. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  2. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  3. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  4. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  5. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  7. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  8. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  9. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  10. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  11. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  12. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  13. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  14. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  15. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  16. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  17. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
  18. function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }
function node_destroy_link($type, $node = NULL, $teaser = FALSE) { switch ($type) { case 'node' : $path = drupal_get_path( 'module' , 'node_destroy' ); drupal_add_js($path . '/node_destroy.js' ); $links[ 'node_destroy' ] = array( 'title' => t( 'Destroy node' ), 'href' => "node/$node->nid/destroy" , 'attributes' => array( 'class' => 'node_destroy_link' ), // query — GET , .. // token 'query' => 'token=' . drupal_get_token( 'node_destroy_' . $node->nid) ); break ; } return $links; }


As you remember, we send an Ajax request to the address that is sewn into the link, so in the callback we can only check $_GET standard way.

  1. function node_destroy( $node ) { if ( $node ->nid && isset ( $_GET [ 'token' ]) && drupal_valid_token( $_GET [ 'token' ], 'node_destroy_' . $node ->nid)) { node_delete( $node ->nid); print ( 'SUCCESS' ); } exit (); }
  2. function node_destroy( $node ) { if ( $node ->nid && isset ( $_GET [ 'token' ]) && drupal_valid_token( $_GET [ 'token' ], 'node_destroy_' . $node ->nid)) { node_delete( $node ->nid); print ( 'SUCCESS' ); } exit (); }
  3. function node_destroy( $node ) { if ( $node ->nid && isset ( $_GET [ 'token' ]) && drupal_valid_token( $_GET [ 'token' ], 'node_destroy_' . $node ->nid)) { node_delete( $node ->nid); print ( 'SUCCESS' ); } exit (); }
  4. function node_destroy( $node ) { if ( $node ->nid && isset ( $_GET [ 'token' ]) && drupal_valid_token( $_GET [ 'token' ], 'node_destroy_' . $node ->nid)) { node_delete( $node ->nid); print ( 'SUCCESS' ); } exit (); }
  5. function node_destroy( $node ) { if ( $node ->nid && isset ( $_GET [ 'token' ]) && drupal_valid_token( $_GET [ 'token' ], 'node_destroy_' . $node ->nid)) { node_delete( $node ->nid); print ( 'SUCCESS' ); } exit (); }
  6. function node_destroy( $node ) { if ( $node ->nid && isset ( $_GET [ 'token' ]) && drupal_valid_token( $_GET [ 'token' ], 'node_destroy_' . $node ->nid)) { node_delete( $node ->nid); print ( 'SUCCESS' ); } exit (); }
  7. function node_destroy( $node ) { if ( $node ->nid && isset ( $_GET [ 'token' ]) && drupal_valid_token( $_GET [ 'token' ], 'node_destroy_' . $node ->nid)) { node_delete( $node ->nid); print ( 'SUCCESS' ); } exit (); }


via DrupalDance: Cross-site request forgery

Source: https://habr.com/ru/post/52132/

More articles:


All Articles