I'm building a site that gives each user a private home page with content they can see but others cannot. The callback in a _menu handler allows access if the user is the owner of the page and denies it otherwise; all is well there.
I've just revised that page so that its content is made up of a set of boxes instead of a big bag of code. The content comes together correctly, but with a problem: If user A looks at user B's private page, he gets an Access Denied page, as he should. However, the blocks are still 开发者_StackOverflowinvoked, and their content still ends up on the page, such that user A can see user B's private stuff. The page also does not get the usual "You are not authorized to access this page." message that typically shows up on an Access Denied page.
I'm at a total loss to understand why this is happening. I can keep the blocks from running by giving them some properly-designed "Show block on specific pages" functions, but there's still something happening that (a) doesn't seem right and (b) I don't understand. Together, this gives me a bad/funny feeling about what's happening with access control for the site, especially as in the way it relates to blocks. Can anybody offer any insight here? Thanks!
You should create an access callback function in your hook menu to do the access check. Else the user is allowed to see the content, even if you don't render anything. Since the blocks are not created through the menu callback they are rendered normally.
For reference, see: hook_menu
精彩评论