[support] Locking down drupal for use by multiple (semi-)untrusted administrators
Susan Stewart
HedgeMage at binaryredneck.net
Wed Nov 21 20:02:25 UTC 2007
Hugo Mills wrote:
<snip>
> 1) Themes.
>
> From my limited investigation so far, it seems that Drupal themes
> are basically PHP. Allowing users to upload themes directly is
> therefore a no-no. Is there a non-executable type of theme that we can
> support direct uploads for safely, or will all uploaded themes have to
> be audited before we allow them up? How flexible would the system be
> if we were to prevent theme uploads completely?
<snip>
I'd say that 80% of the themes I develop are Zen-based themes for which
I only write new CSS. That's one way you could go -- pick a few good
base themes and allow users to upload CSS-only subthemes.
IIRC, there is no PHP in Smarty themes -- the Smarty engine isn't used
much any more, but I think it is still available for Drupal
Susan
More information about the support
mailing list