Home » Download » Modules » Demonstration site (Sandbox / Snapshot) » Issues

Add Demo Secure module

sun - February 17, 2009 - 00:30
Project:Demonstration site (Sandbox / Snapshot)
Version:7.x-1.x-dev
Component:Code
Category:feature request
Priority:normal
Assigned:Unassigned
Status:active
Description

After working on the second fully-fledged Drupal administration demonstration site I realized that Demo could provide a new sub-module that alters some bits of Drupal to make full-admin demos secure:

- .info: required = TRUE
- remove Block module's PHP permission
- remove PHP module
- disable locale's translation features
- make the HTML filter unremovable/unconfigurable

» Login or register to post comments

#1

sun - February 17, 2009 - 00:46

These were (partially) the dirty hacks I applied:

Index: modules/block/block.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/block/block.admin.inc,v
retrieving revision 1.35
diff -u -p -r1.35 block.admin.inc
--- modules/block/block.admin.inc 11 Feb 2009 03:38:46 -0000 1.35
+++ modules/block/block.admin.inc 16 Feb 2009 23:02:52 -0000
@@ -190,7 +190,7 @@ function block_admin_configure(&$form_st
     '#collapsed' => TRUE,
   );

-  $access = user_access('use PHP for block visibility');
+  $access = 0 && user_access('use PHP for block visibility');
   if ($edit['visibility'] == 2 && !$access) {
     $form['page_vis_settings'] = array();
     $form['page_vis_settings']['visibility'] = array('#type' => 'value', '#value' => 2);
Index: modules/block/block.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/block/block.module,v
retrieving revision 1.322
diff -u -p -r1.322 block.module
--- modules/block/block.module 11 Feb 2009 05:33:18 -0000 1.322
+++ modules/block/block.module 16 Feb 2009 23:03:11 -0000
@@ -109,10 +109,10 @@ function block_perm() {
       'title' => t('Administer blocks'),
       'description' => t('Select which blocks are displayed, and arrange them on the page.'),
     ),
-    'use PHP for block visibility' => array(
-      'title' => t('Use PHP for block visibility'),
-      'description' => t('Enter PHP code in the field for block visibility settings. %warning', array('%warning' => t('Warning: Give to trusted roles only; this permission has security implications.'))),
-    ),
+//    'use PHP for block visibility' => array(
+//      'title' => t('Use PHP for block visibility'),
+//      'description' => t('Enter PHP code in the field for block visibility settings. %warning', array('%warning' => t('Warning: Give to trusted roles only; this permission has security implications.'))),
+//    ),
   );
}

Index: modules/filter/filter.admin.inc
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.admin.inc,v
retrieving revision 1.24
diff -u -p -r1.24 filter.admin.inc
--- modules/filter/filter.admin.inc 5 Feb 2009 19:52:02 -0000 1.24
+++ modules/filter/filter.admin.inc 16 Feb 2009 23:39:38 -0000
@@ -209,6 +209,9 @@ function filter_admin_format_form_submit
   }

   db_query("DELETE FROM {filter} WHERE format = %d", $format);
+  // HACK: Demo site. 17/02/2009 sun
+  $form_state['values']['filters']['filter/0'] = 1;
+
   foreach ($form_state['values']['filters'] as $id => $checked) {
     if ($checked) {
       list($module, $delta) = explode('/', $id);
Index: modules/filter/filter.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v
retrieving revision 1.240
diff -u -p -r1.240 filter.module
--- modules/filter/filter.module 21 Jan 2009 16:58:42 -0000 1.240
+++ modules/filter/filter.module 16 Feb 2009 23:40:44 -0000
@@ -669,6 +669,8 @@ function _filter_html_settings($format)
     '#type' => 'textfield',
     '#title' => t('Allowed HTML tags'),
     '#default_value' => variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>'),
+    // HACK: Demo site. 17/02/2009 sun
+    '#value' => variable_get("allowed_html_$format", '<a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>'),
     '#size' => 64,
     '#maxlength' => 1024,
     '#description' => t('Specify a list of tags which should not be stripped. (Note that JavaScript event attributes are always stripped.)'),
Index: modules/locale/locale.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/locale/locale.module,v
retrieving revision 1.237
diff -u -p -r1.237 locale.module
--- modules/locale/locale.module 5 Feb 2009 00:32:46 -0000 1.237
+++ modules/locale/locale.module 16 Feb 2009 23:10:15 -0000
@@ -113,47 +113,47 @@ function locale_menu() {
-  $items['admin/build/translate/import'] = array(
-    'title' => 'Import',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('locale_translate_import_form'),
-    'access arguments' => array('translate interface'),
-    'weight' => 20,
-    'type' => MENU_LOCAL_TASK,
-  );
+//  $items['admin/manage/translate/import'] = array(
+//    'title' => 'Import',
+//    'page callback' => 'drupal_get_form',
+//    'page arguments' => array('locale_translate_import_form'),
+//    'access arguments' => array('translate interface'),
+//    'weight' => 20,
+//    'type' => MENU_LOCAL_TASK,
+//  );
-  $items['admin/build/translate/edit/%'] = array(
-    'title' => 'Edit string',
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('locale_translate_edit_form', 4),
-    'access arguments' => array('translate interface'),
-    'type' => MENU_CALLBACK,
-  );
+//  $items['admin/manage/translate/edit/%'] = array(
+//    'title' => 'Edit string',
+//    'page callback' => 'drupal_get_form',
+//    'page arguments' => array('locale_translate_edit_form', 4),
+//    'access arguments' => array('translate interface'),
+//    'type' => MENU_CALLBACK,
+//  );

However, just for reference - it doesn't need to be that dirty.

Login or register to post comments

#2

sun - March 13, 2009 - 14:09

Also, we want to disallow changes to demo settings and demo snapshots while the module is enabled. I fear that most of the logic would have to be triggered by a custom variable in settings.php.

Login or register to post comments

#3

meba - November 18, 2009 - 09:32

This is exactly what I was thinking when using the module.

My idea: introduce a settings.php "password" to the secure module, allowing you access only if you type correct password - therefore even uid 1 won't be able to make snapshots and reload them

Login or register to post comments

#4

sun - November 18, 2009 - 11:58

Hey, that's not a bad idea. :)

Login or register to post comments

#5

meba - November 18, 2009 - 14:21

Yes :-)

The only question is how to do that. Either make all admin forms two step, which might be a PIAS to code or introduce a _GET param to the form?

Third option might be to introduce something like update.php free access:
$demo_admin_free_access = TRUE/FALSE;

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.