I have a Javascript application that I start from a drupal website. I need to save data from the Javascript application to the server, only logged in users can save data.
So I have made a custom php webservice that handles request from the Javascript application. Within this webservice I call drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION) and then inspect the $user object. Like this:
drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION);
global $user;
$userid = isset($user) && isset($user->uid) ? $user->uid : 0;
return $userid
When I receive a valid userid I allow the user to save specific data for his account.
Is this a save way to do it? Are there any security considerations I overlooked?
Extra background information:
I want a minimal solution, so the services module is not what I am looking for.
I don't need to access drupal content or functionality, just my own php functions to exchange data between the client and the server.
I don't need user login/authentication functionality in the javascript application. Login is done on the drupal website. If the user is not logged in when using the js application, he may still use it but cannot save data. This is enforced by the PHP code.
