Closed ericras closed 4 years ago
I've got some code close to committing for this issue that uses hook_entity_form_display_alter() and hook_form_alter().
unl_menu only allows nodes to be linked. External links and unrouted URLs are disallowed. Leading slashes are automatically added. If a node doesn't exist, then it'll fail validation.
Let's say that a node with nid = 1 exists and there is no node with nid = 2.
The following should pass:
/node/1
node/1
(automatically rewritten as /node/1
)<front>
The following should fail:
/sites/default/files/document.pdf
sites/default/files/document.pdf
/node/2
node/2
http://google.com
This is really cool.
I think the big issue is that it only allows nodes to be linked. I think we want Views, Webforms, Taxonomy pages, etc to be allowed too. Really, anything that is a valid internal path should be allowed.
I think we should implement a whitelist of permissible routes.
Re Webforms, I don't think we should expose them directly to the public. The path will be inconsistent with the content hierarchy. http://example.com/form/schedule-a-tour vs http://example.com/visit/schedule-a-tour.
So far, aside from webforms, we have taxonomy terms and views. Anything else come to mind? We can always add routes in the future.
I would lean to allowing everything and blacklisting something if needed. (That shouldn't really be needed anyway since if a user doesn't have access to something it doesn't show anyway.)
Regarding webforms: People are going to want to put those in the menu. There's the "Webform URL alias" setting - doesn't that allow you to set the form path to "/visit/schedule-a-tour" ?
Per discussion, the unl_menu module has been changed from a whitelist to a blacklist model for internal routes. External URLs and unrouted paths continue to be invalid in all instances.
The error message change in 9345e7b missed a second place a few lines up where 'Only nodes and the front page ("
After that, it can be merged.