The verifications

The right author

Most SPIP actions only verify that the current author is indeed the same as the one who clicked for the action. This is done with:

$securiser_action = charger_fonction('securiser_action', 'inc');
$arg = $securiser_action();

The security function kills the script if the current author is not the one requesting the action, otherwise it will return the requested argument (in this case through $arg).

The right argument

Then, generally speaking, the $arg variable received is verified to see if it is conformant with what was expected. It often takes the form "id_object", sometimes "object/id_object" or more complex ones like date elements:

if (!preg_match(",^\W*(\d+)\W(\w*)$,", $arg, $r)) {
	spip_log("action_dater_dist $arg pas compris");
	return;
}

And authorisation

Some actions also verify that the author is actually approved to execute that action (but in general, this authorisation has already been confirmed before: the link that fires the action will not normally be visible if the author does not have the appropriate rights). For example, checking to see if the current author has the right to moderate the forum for the given article:

if (!autoriser('modererforum', 'article', $id_article))
	return;
// which could also be written with a debug-type message:
if (!autoriser('modererforum', 'article', $id_article)) {
	include_spip('inc/minipres');
	minipres('Moderation',"You do not have the rights to manage moderations on the forum for this article");
	exit;
}

Author Mark Baber Published : Updated : 12/03/23

Translations : English, français