[development] security: people can no longer "administer" blocks.

Theodore Serbinski tss24 at cornell.edu
Thu Jan 5 22:17:05 UTC 2006

I agree with the new permission. Only certain priveledge users should
ever have the ability to set a blocks visiblity with PHP code. This is
the same way the filters work with PHP code, only certain roles may
ever enter PHP code.

We need this change for consistency and to allow site admins to
properly hand out roles without fear of the site being wrongly hacked
or messed up.


On 1/5/06, Karoly Negyesi <karoly at negyesi.net> wrote:
> What if we would add a permission or misuse an existing (administer
> filters) and simply do not show for 'lesser admins' the radio and the
> textarea under question? block configure is under new submit model so we
> can simply put in 'value' type fields and be done.
> Amount of code to be written: one if, and two new form elements. 11 simple
> lines if I counted right.

More information about the development mailing list