sacha chua living an awesome life

6200 comments
2357 subscribers
Follow me on Twitter (@sachac)
Subscribe! Feed reader E-mail
« Older:
Newer: »

Drupal Gotcha: Watch out for $user during update.php

Posted on March 19th, 2009 by Sacha Chua

If you disable access-checking on your update.php, there’s no guarantee that the update script will be run with the superuser as the active user. This could mess up your update functions that delete nodes or use other access permissions.

To fix this, temporarily assume the identity of the superuser in the update functions that need it:

global $user;
$old_user = $user;
$user = user_load(array('uid' => 1));
$session = session_save_session();
session_save_session(FALSE);

and then restore the old user afterwards:

$user = $old_user;
session_save_session($session);

More posts about: drupal // 4 Comments »

Short URL: http://sachachua.com/blog/p/5928
  • http://www.robloach.net Rob Loach

    Hey Sacha. I really loved your DrupalCon presentation!!!……… Considering this blog post, I think you’ll enjoy this Drupal.org issue:
    http://drupal.org/node/67234

  • http://rtfverterra.mathalino.com RTFVerterra

    I am not sure if this is connected to your post, but I don’t understand why Drupal was designed in such a way that user 1 can be deleted by another user with “user admin” privilege. I’ve been to this trouble, fortunately, its a dev site. Reinstall was my ultimate solution.

  • http://sachachua.com Sacha Chua

    Might be time to hack core? ;)

    You could also access the database directly and change your user’s UID to 1, if that works…

  • http://rtfverterra.mathalino.com RTFVerterra

    I am not comfortable in dealing with database tables. I am not a developer, my experiences with Drupal are mostly achieved by trial and error approach. I can navigate through mySQL tables, but I never attempt to touch any record. Though I understand now the codes in page.tpl.php, my codes are all copy-pasted. :)

« Older:
Newer: »

Related posts

On This Day...

  • 2013: Deliberate performance — In “Deliberate performance: accelerating expertise in natural settings”, Peter J. Fadde and Gary A. Klein suggest the following conditions for [...]
  • 2012: What I want from visual notetaking; imagining wild success — Here’s what I want when it comes to visual notetaking. I’m going to go through thousands of books, presentations, blog [...]
  • 2011: Spring! — It was so warm on the walk back from the library that I shucked my coat. When I got home, [...]
  • 2010: Braindump: Presentation kaizen — Kaizen: relentless improvement When I think of becoming a better presenter, I think of four key areas: Content: the raw material Organization: how [...]
  • 2009: Networking outside the firewall — In a large company like IBM, it’s easy to forget to interact with the outside world. The internal network of [...]
  • 2006: Nice long chat with my mom — One of the good things about distance is that my mom and I get to talk a lot more. Strange, isn’t [...]
  • 2005: Living with ratpoison — I use the wonderfully minimalist ratpoison window manager. Unlike most window managers, ratpoison leaves my shortcut keys alone. I can do everything without [...]
  • 2005: Bituin — bituin daw kanyang mata. rosas daw kanyang labi. mukha raw s’yang diwata. ay! baliw yung nagsabi! ABAB rhyming this time. On Technorati: tanaga, poetry, tagalog, [...]
  • 2005: Pusa sa Kalye — hindi ko malimutan pusang nasagasaan tatlong kuting sa daan wala nang mapuntahan - More tanaga. Waah, poor cats. 2005.03.19 On Technorati: tanaga, poetry, cat, [...]
  • 2004: Gary’s calendar code — http://tkd.kicks-ass.net/dist/emacs-wiki-config.el E-Mail from Gary V. Vaughan
  • 2003: google tips — filetype:foo, inurl:foo, “Parent Directory” /foo/ ?
  • 2003: back to the drawing board… — I’ve looked at phpgroupware, and I suspect that I’ll have to do a fair bit of hackery in order to [...]
  • 2003: groupware on linux — http://nexist.sourceforge.net/groupware.html has a good list of available software.
  • 2003: rethinking IntranetServer application — Maybe this is something that can be handled by (gasp) Outlook or some iCal thing?
  • 2003: esr website — Incidentally, Eric S. Raymond’s site is now at http://www.catb.org/~esr/ – noted here because I keep forgetting where it is.
  • 2003: dani bunten, game designer — Richi Plana sends in a link to a Salon article on Dani Bunten, game designer and cool geekette. http://www.salon.com/tech/feature/2003/03/18/bunten/index.html?x
  • 2003: web hosting – kevin koyner — Kevin Koyner (kevin@rustybear.com) writes: I’ve been using Eryxma.com recently and have been happy with them. The thing I like the best [...]
  • 2003: conversation with jerome — Finished talking to Jerome around an hour ago. I think we cleared up one of the misunderstandings we were having and [...]
  • 2003: remember.el and rss feeds — brilliant idea: instead of parsing wiki pages to generate the RSS feed, why don’t I just add a function to allow [...]
  • 2003: e-mail intranet server finally set up! — Finally! I hit upon the magic combination of twig and cyrus-admin, and now the mail system works on the IntranetServer.

Like this? Subscribe using your feed reader or your e-mail client! Follow me on Twitter for quick updates, and add me on Google+. Contact me: I'd love to hear your thoughts, questions, and suggestions!


Copyright © 2001-2012 Sacha Chua (sacha@sachachua.com). Please feel free to reuse content under a Creative Commons Attribution Non-commercial Sharealike license unless otherwise noted.