[development] CCK per field CRUD settings, caching complexity

Adrian Rossouw adrian at bryght.com
Mon May 29 12:34:54 UTC 2006

On 29 May 2006, at 2:18 PM, Bèr Kessels wrote:

> However, removing stuff by permission is *always* the wrong way  
> around. It is
> opt-out security, which is close to "not security". If someone is  
> not allowed
> to not see something, it should not even be considered loading. It  
> should not
> be available. Anywhere.
If someone has access to enough of the code to be able to trick  
node_load into
not trimming the fields, they have enough access to get the stuff  
directly out of the
database, and you have far far more of a problem than you thought.

Adrian Rossouw
Drupal developer and Bryght Guy
http://drupal.org | http://bryght.com

More information about the development mailing list