Drupal - Security check all site paths by role

Question

I'm writing this in the forlorn hope that someone has already done something similar. I would have posted on drupal.org - but that site is about as user-friendly as a kick in the tomatoes.

I don't know about you, but when I develop I leave all my Drupal paths with open access, and then think about locking them down with access permissions at the end.

What would be be really useful is a module which parses all the paths available (by basically deconstructing the contents of the menu_router table) and then trying them (curl?) in turn whilst logged-in as a given user with a given set of roles.

The output would be a simple html page saying which paths are accessible and which are not.

I'm almost resigned to doing this myself, but if anyone knows of anything vaguely similar I'd be more than grateful to hear about it.

Cheers

UPDATE
Following a great idea from Yorirou, I knocked together a simple module to provide the output I was looking for.

You can get the code here: http://github.com/hymanroth/Path-Lockdown

Answer 1

I did a bit of research and wasn't able to find anything. Though I'm inclined to think there is a way to check path access through Drupal API as opposed to CURL - but please keep me updated on your progress / let me know if you would like help developing. This would a great addition to the Drupal modules.

Answer 2

My first attempt would be a function like this:

function check_paths($uid) {
  global $user;
  $origuser = $user;
  $user = user_load($uid);

  $paths = array();
  foreach(array_keys(module_invoke_all('menu')) as $path) {
    $result = menu_execute_active_handler($path);
    if($result != MENU_ACCESS_DENIED && $result != MENU_NOT_FOUND) {
      $paths[$path] = TRUE;
    }
    else {
      $paths[$path] = FALSE;
    }
  }

  $user = $origuser;

  return $paths;
}

This is good for a first time, but it can't handle wildcard paths (% in the menu path). Loading all possible values can be an option, but it doesn't work in all cases. For instance, if you have %node for example, then you can use node_load, but if you have just %, then you have no idea what to load. Also, it is a common practice to omit the last argument, which is a variable, in order to correctly handle if no argument is given (eg. display all elements).

Also, it might be a good idea to integrate this solution with the Drupal's testing system.