Heine

If you spend a lot of time exclusively in one Drupal version, you develop muscle memory for its API. This can be pretty dangerous as I caught myself writing the following menu item while backporting a Drupal 6 module.

Note the array('adminster foo') instead of user_access('administer foo'). As non-empty arrays evaluate to TRUE in non-strict comparisons this is equivalent to 'access' => TRUE, granting access to all users.

Because I do not believe in the "Found a bug? Blog about it!"-approach to bugfixing, I filed #472160, but still wanted to share.

It is surely not my intend to discuss each and every security announcement, but the recent Live announcement (SA-2008-021) deserves to get some attention as this particular drupal_access_denied & drupal_not_found pitfall affects you too, especially when you are converting "arrow code" to use guard clauses.