Hi, I can no longer allow anyone on my network (nor would I advice anyone to do so) to "administer" blocks. The result is "no sorry Mr Client, you cannot change that link in that block, only I can". The reason is simple: PHP input. It is too late, sorry for that, but I only realize this now[1]. allowing users to paste PHP is a security issue, a severe one. I see a few solutions. And I think we should consider adding them to drupal before 4.7. A patch is not too hard, the consensus is. I think. * Add a new permission: moderate blocks (people can only change the content of the blocks) * Remove the "show it here and there" alltoghether and leave it to the themes (my favorite) to choose where, when and how to display blocks. * Limit the allowed PHP. this, i fear is a very, very hard one. One that will render php mode unusable too. * Only show (and save!!) the phpmode option for uid 1. I dislike this, because I prefer to do nothing with uid1. I for one, will certainly not -ever- allow my users to add php, (wich allows them to hack the complete server, with some creativity) Bèr [1] http://www.webschuur.com/node/409