[development] CCK per field CRUD settings, caching complexity
Adrian Rossouw
adrian at bryght.com
Mon May 29 12:34:54 UTC 2006
On 29 May 2006, at 2:18 PM, Bèr Kessels wrote:
>
>
> However, removing stuff by permission is *always* the wrong way
> around. It is
> opt-out security, which is close to "not security". If someone is
> not allowed
> to not see something, it should not even be considered loading. It
> should not
> be available. Anywhere.
If someone has access to enough of the code to be able to trick
node_load into
not trimming the fields, they have enough access to get the stuff
directly out of the
database, and you have far far more of a problem than you thought.
--
Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com
More information about the development
mailing list