Drupal: access permissions for php scripts ?

Question

hi,

I'm writing a custom php code in my Drupal website. I need to load the content of specific pages from PHP.

These pages are visible only for authenticated users, and it seems I cannot access them from php, even if I trigger the script when I'm logged in as user.

Is there a way to simulate "a logged in" user from php, so I have access to all the content of the website ?

update:

global $user;
if (user_access('access content')) {

require_once("dompdf/dompdf_config.inc.php");

$html = file_get_contents('http://mywebsite.com/admin/store/orders/45/invoice/print');


$dompdf = new DOMPDF();
$dompdf->load_html($html);

//$dompdf->load_html_file('invoices/' . $file);
$dompdf->render();
$dompdf->stream("sample.pdf");
}

I've tried with relative path and it is the same...

And this is with impersonating the admin user

//access as administrator
global $user;
$original_user = $user;
session_save_session(FALSE); 
$user = user_load(array('uid' => 1));

//generate pdf
require_once("dompdf/dompdf_config.inc.php");
$html = file_get_contents('http://mywebsite/admin/store/orders/45/invoice/print');
$dompdf = new DOMPDF();
$dompdf->load_html($html);
//$dompdf->load_html_file('invoices/' . $file);
$dompdf->render();
$dompdf->stream("sample.pdf");

//logout as administrator
$user = $original_user;
session_save_session(TRUE); 

Still I get access denied as resulting page (and generated pdf). thanks

Answer 1

The code to do so is:

<?php
if (user_access('access content')) {
  print "You have the permission 'access content'";
}
?>

Running code that circumvents the permission system might seem simple and easy, but is really a serious security hole.

However, since that is what you ask:

<?php
global $user;
if ($user->uid) {
  print "You are a registered user"
}
?>

But again, never use this as a replacement for permissions.

Answer 2

These pages are visible only for authenticated users, and it seems I cannot access them from php, even if I trigger the script when I'm logged in as user.

Drupal checks if the user has permission to view a node using the global variable $user. To do what you are trying to do, if you cannot trust that the currently logged in user have the permission to view the node you are interested in,you should read Safely Impersonating Another User.

I am not saying that you should be doing that. Before to impersonate another user, I would verify if the followed approach is the only possible one. In example, if you just need to access a field contained in a node, then you can use node_load(), which doesn't verify if the current user can view the loaded node. If you need to show the body of a node, you can use the following code:

$node = node_load($nid);
if ($node) {
  $body = check_markup($node->body, $node->format, FALSE);
}

Showing information for which the current user doesn't have access is considered a security issue, though.

Update:
The issue with your code is that you are using file_get_contents('http://mywebsite/admin/store/orders/45/invoice/print'); doing so, you are opening a new connection to the site, and the new connection is opened as anonymous user. That is the reason the node that authenticated users are able to see is not returned.

Even if the code would work, what you get is not the HTML to render the node only, but also the full page, including the blocks Drupal normally show on the top, and to the left / right sides. If you are interested in rendering a node, then you should use the following code (it's just a skeleton, and it's not complete):

// $nid is the node ID.
// Check the result, in the case the node has been deleted, or there are other errors.
$node = node_load($nid);
if ($node) {
  // The arguments tell the function that you don't want to render a teaser, that the node is
  // rendered as it is the only node in the page, and that you don't want the additional
  // links that are usually rendered after the node content.
  $html = node_view($node, FALSE, TRUE, FALSE);

  // This is your code.
  $dompdf = new DOMPDF();
  $dompdf->load_html($html);
  $dompdf->render();
  $dompdf->stream("sample.pdf");
}

Answer 3

About the updated code. Your file_get_contents will pull in the content as "anonymous user". That is just one reason why your code is a bad idea:

Whenever your code runs, it will open your own site and parse that code: resulting in at least two "Drupals" to be loaded: effectively at least two pageviews to show one page to a user. But many more problems with this approach are possible.

Instead, you should find the code/function that creates the page at http://mywebsite.com/admin/store/orders/45/invoice/print and use that as input for your PDF-creator.