29 May
2006
29 May
'06
2:34 p.m.
On 29 May 2006, at 2:18 PM, Bèr Kessels wrote:
However, removing stuff by permission is *always* the wrong way around. It is opt-out security, which is close to "not security". If someone is not allowed to not see something, it should not even be considered loading. It should not be available. Anywhere.
If someone has access to enough of the code to be able to trick node_load into not trimming the fields, they have enough access to get the stuff directly out of the database, and you have far far more of a problem than you thought. -- Adrian Rossouw Drupal developer and Bryght Guy http://drupal.org | http://bryght.com