Is there any way to configure a module *before* it's enabled?
I just turned on the path module. I noticed that as soon as it's turned on, anybody is able to create path aliases. It was easy enough to reconfigure it to only allow admins to do that, but for a short while (between the time I enabled it and got to configure it), it was open to anybody.
For this, it's no big deal, but in general, it seems like a bit of a security hole. There should be some way to enable the configuration of a module before it's really turned on. Or is there, and I'm just missing it?
I'm running drupal 5.7.
-- roy@panix.com
Quoting Roy Smith roy@panix.com:
Is there any way to configure a module *before* it's enabled?
I just turned on the path module. I noticed that as soon as it's turned on, anybody is able to create path aliases. It was easy enough to reconfigure it to only allow admins to do that, but for a short while (between the time I enabled it and got to configure it), it was open to anybody.
No, administration is turned off until it is allowed.
For this, it's no big deal, but in general, it seems like a bit of a security hole. There should be some way to enable the configuration of a module before it's really turned on. Or is there, and I'm just missing it?
I don't know why your experience is different. Again you have to specify the user has administration rights. The default is off. Perhaps path was installed before and not completely uninstalled leaving old access rows.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Hmmm. It could be that I was misinterpreting what I saw.
None of the checkboxes were checked. I've seen other modules where "none checked" means "everybody has permission" (for example, when you edit a view, it says, "Only the checked roles will be able to see this view in any form; if no roles are checked, access will not be restricted.") and I just assumed that was globally true. Was I hasty in that assumption?
On Mar 3, 2008, at 12:03 PM, Earnie Boyd wrote:
I don't know why your experience is different. Again you have to specify the user has administration rights. The default is off. Perhaps path was installed before and not completely uninstalled leaving old access rows.
-- roy@panix.com
Quoting Roy Smith roy@panix.com:
Hmmm. It could be that I was misinterpreting what I saw.
None of the checkboxes were checked. I've seen other modules where "none checked" means "everybody has permission" (for example, when you edit a view, it says, "Only the checked roles will be able to see this view in any form; if no roles are checked, access will not be restricted.") and I just assumed that was globally true. Was I hasty in that assumption?
There are two methods being used. You must check the Access and the other method such as is used by views says use the normal access check methods otherwise use the specified access roles.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Thank $Deity for Drupal Usability research!!!!!
Actual this is a touch semantic issue, as what is found in admin/user/ access, is referred to there, and by me and many others as permissions, which are somewhat different than view, or node specific access control.
admin/user/access Shouldn't be called "Access control" if you ask me. I think this is fixed somewhat in Drupal 6, if not at least changed some.
-Mike
On Mar 3, 2008, at 2:17 PM, Earnie Boyd wrote:
Quoting Roy Smith roy@panix.com:
Hmmm. It could be that I was misinterpreting what I saw.
None of the checkboxes were checked. I've seen other modules where "none checked" means "everybody has permission" (for example, when you edit a view, it says, "Only the checked roles will be able to see this view in any form; if no roles are checked, access will not be restricted.") and I just assumed that was globally true. Was I hasty in that assumption?
There are two methods being used. You must check the Access and the other method such as is used by views says use the normal access check methods otherwise use the specified access roles.
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
-- [ Drupal support list | http://lists.drupal.org/ ]
__________________ Michael Prasuhn mike@mikeyp.net http://mikeyp.net 949.200.7595 714.356.0168 cell 949.200.7670 fax
You could always install it on a separate instance of Drupal, configure it, and dump the relevant data from the variable table, upload it to the new site, before enabling it.
As to the access rules, I have no idea what happened other than Earnie's suggestion that it may have been previously installed.
-Mike
On Mar 3, 2008, at 8:39 AM, Roy Smith wrote:
Is there any way to configure a module *before* it's enabled?
I just turned on the path module. I noticed that as soon as it's turned on, anybody is able to create path aliases. It was easy enough to reconfigure it to only allow admins to do that, but for a short while (between the time I enabled it and got to configure it), it was open to anybody.
For this, it's no big deal, but in general, it seems like a bit of a security hole. There should be some way to enable the configuration of a module before it's really turned on. Or is there, and I'm just missing it?
I'm running drupal 5.7.
-- roy@panix.com
-- [ Drupal support list | http://lists.drupal.org/ ]
__________________ Michael Prasuhn mike@mikeyp.net http://mikeyp.net 949.200.7595 714.356.0168 cell 949.200.7670 fax
-
Earnie Boyd -
Michael Prasuhn -
Roy Smith