The right author
Most SPIP actions only verify that the current author is indeed the same as the one who clicked for the action. This is done with:
$securiser_action = charger_fonction('securiser_action', 'inc');
$arg = $securiser_action();
The security function kills the script if the current author is not the one requesting the action, otherwise it will return the requested argument (in this case through $arg
).
The right argument
Then, generally speaking, the $arg
variable received is verified to see if it is conformant with what was expected. It often takes the form "id_object", sometimes "object/id_object" or more complex ones like date elements:
if (!preg_match(",^\W*(\d+)\W(\w*)$,", $arg, $r)) {
spip_log("action_dater_dist $arg pas compris");
return;
}
And authorisation
Some actions also verify that the author is actually approved to execute that action (but in general, this authorisation has already been confirmed before: the link that fires the action will not normally be visible if the author does not have the appropriate rights). For example, checking to see if the current author has the right to moderate the forum for the given article:
if (!autoriser('modererforum', 'article', $id_article))
return;
// which could also be written with a debug-type message:
if (!autoriser('modererforum', 'article', $id_article)) {
include_spip('inc/minipres');
minipres('Moderation',"You do not have the rights to manage moderations on the forum for this article");
exit;
}