security: people can no longer "administer" blocks.
Hi, I can no longer allow anyone on my network (nor would I advice anyone to do so) to "administer" blocks. The result is "no sorry Mr Client, you cannot change that link in that block, only I can". The reason is simple: PHP input. It is too late, sorry for that, but I only realize this now[1]. allowing users to paste PHP is a security issue, a severe one. I see a few solutions. And I think we should consider adding them to drupal before 4.7. A patch is not too hard, the consensus is. I think. * Add a new permission: moderate blocks (people can only change the content of the blocks) * Remove the "show it here and there" alltoghether and leave it to the themes (my favorite) to choose where, when and how to display blocks. * Limit the allowed PHP. this, i fear is a very, very hard one. One that will render php mode unusable too. * Only show (and save!!) the phpmode option for uid 1. I dislike this, because I prefer to do nothing with uid1. I for one, will certainly not -ever- allow my users to add php, (wich allows them to hack the complete server, with some creativity) Bèr [1] http://www.webschuur.com/node/409
Bèr Kessels wrote:
The reason is simple: PHP input. It is too late, sorry for that, but I only realize this now[1]. allowing users to paste PHP is a security issue, a severe one.
I assume this is the PHP associated with block visibility. I'd definately like to see that go away. I might have a chance to code up my ideas after 4.7 is out, but I'm not going to touch it until then. -- Neil Drumm http://delocalizedham.com/
What if we would add a permission or misuse an existing (administer filters) and simply do not show for 'lesser admins' the radio and the textarea under question? block configure is under new submit model so we can simply put in 'value' type fields and be done. Amount of code to be written: one if, and two new form elements. 11 simple lines if I counted right.
I agree with the new permission. Only certain priveledge users should ever have the ability to set a blocks visiblity with PHP code. This is the same way the filters work with PHP code, only certain roles may ever enter PHP code. We need this change for consistency and to allow site admins to properly hand out roles without fear of the site being wrongly hacked or messed up. ted On 1/5/06, Karoly Negyesi <karoly@negyesi.net> wrote:
What if we would add a permission or misuse an existing (administer filters) and simply do not show for 'lesser admins' the radio and the textarea under question? block configure is under new submit model so we can simply put in 'value' type fields and be done.
Amount of code to be written: one if, and two new form elements. 11 simple lines if I counted right.
On 05 Jan 2006, at 22:40, Bèr Kessels wrote:
* Add a new permission: moderate blocks (people can only change the content of the blocks) * Remove the "show it here and there" alltoghether and leave it to the themes (my favorite) to choose where, when and how to display blocks. * Limit the allowed PHP. this, i fear is a very, very hard one. One that will render php mode unusable too. * Only show (and save!!) the phpmode option for uid 1. I dislike this, because I prefer to do nothing with uid1.
Rather than adding permissions, we should use the filter system. Just add input formats to the block creation screen. -- Dries Buytaert :: http://www.buytaert.net/
participants (5)
-
Bèr Kessels -
Dries Buytaert -
Karoly Negyesi -
Neil Drumm -
Theodore Serbinski