im currently using the views reference and passing in arguments with the PHP argument field enabled. There should be an option to disable this from being displayed on the edit pages. This can pose a great security risk if a basic editor has access to this input field. It's best to have an optional checkbox if this can be changed from its default value.

CommentFileSizeAuthor
#1 viewreference-php_perm-2014723-1.patch1.07 KBericras

Comments

ericras’s picture

ericras commented
Category: feature » bug
Priority: Normal » Major
Status: Active » Needs review
StatusFileSize
new viewreference-php_perm-2014723-1.patch1.07 KB

Access to this definitely shouldn't be universal. Here's a very basic patch that uses the core 'use PHP for settings' perm.

The downside with this approach is that anyone who has the 'use PHP for settings' can now grant php access through this viewreference setting.

For something as sensitive as php execution access, this module should probably create its own permission.

ericras’s picture

ericras commented
Title: drupal 7 view reference - PHP argument input should have option to be turned off from being able to be edited. » "Allow PHP code" argument input should be permission restricted

  • danielb committed 369238a on 7.x-3.x 
    git commit -m 'Issue #2014723 by ericras: "Allow PHP code" argument...
danielb’s picture

danielb commented
Issue summary: View changes

Thanks for drawing my attention to this. I've implemented an alternate solution which disables that option if the person setting up the field doesn't have that permission, and also if the last user to edit a node doesn't have the permission the PHP won't be executed either.

danielb’s picture

danielb commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.