[support] Locking down drupal for use by multiple (semi-)untrusted administrators

Susan Stewart HedgeMage at binaryredneck.net
Wed Nov 21 20:02:25 UTC 2007


Hugo Mills wrote:
<snip>
> 1) Themes.
>
>    From my limited investigation so far, it seems that Drupal themes
> are basically PHP. Allowing users to upload themes directly is
> therefore a no-no. Is there a non-executable type of theme that we can
> support direct uploads for safely, or will all uploaded themes have to
> be audited before we allow them up? How flexible would the system be
> if we were to prevent theme uploads completely?
<snip>

I'd say that 80% of the themes I develop are Zen-based themes for which 
I only write new CSS.  That's one way you could go -- pick a few good 
base themes and allow users to upload CSS-only subthemes.

IIRC, there is no PHP in Smarty themes -- the Smarty engine isn't used 
much any more, but I think it is still available for Drupal

Susan


More information about the support mailing list