Don't allow evaluation of PHP if php.module is not enabled [#1161398]

Like many devs, I do not want to allow any PHP input via the UI. I've gone as far as to remove php.module entirely to ensure that even admins can not turn on PHP. This is a common requirement for any mass hosting solutions that want to give user 1 access to their users. What I'd like is for custom breadcrumbs to check module_exists() for php.module before displaying the option to enter php into the configuration form. If I'm not mistaken other contrib modules are using php.module as a kill switch of sorts.

Comments

Comment #1

MGN CreditAttribution: MGN commented 18 July 2011 at 00:16

I think this is an interesting idea. I hadn't thought of this before because the php filter module is in core, So you would have to run a modified package (as you are) for this feature to be useful. On the down-side, we don't actually use anything from that module in custom breadcrumbs. So I am not sure that it makes sense to require the php filter module (allows php in posts) to allow the use of php in customizing breadcrumbs. For example, this change might equally inconvenience admins who don't allow php code in posts (so don't enable the php module), but want to use php to setup custom breadcrumbs. Generally I think the fewer dependencies the better.

So while i find it interesting, I am inclined not to pursue this though not yet committed to "won't fix". Since you are already removing modules from core, I don't think it would be too hard for you to tweak custom_breadcrumbs to suit your needs. I would be happy to hear further discussion on this.

Comment #2

ssoulless CreditAttribution: ssoulless commented 14 January 2015 at 16:45

Priority:	Normal	» Major
Issue summary:	View changes

when you try to input your custom php, the php is not evalueted and instead the full string is printed in the breadcrumb, so, how would be the right way for do it programmatically? because like @rickvug I do not want to enable php.module anymore.