Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
im currently using the views reference and passing in arguments with the PHP argument field enabled. There should be an option to disable this from being displayed on the edit pages. This can pose a great security risk if a basic editor has access to this input field. It's best to have an optional checkbox if this can be changed from its default value.
Comment | File | Size | Author |
---|---|---|---|
#1 | viewreference-php_perm-2014723-1.patch | 1.07 KB | ericras |
Comments
Comment #1
ericras CreditAttribution: ericras commentedAccess to this definitely shouldn't be universal. Here's a very basic patch that uses the core 'use PHP for settings' perm.
The downside with this approach is that anyone who has the 'use PHP for settings' can now grant php access through this viewreference setting.
For something as sensitive as php execution access, this module should probably create its own permission.
Comment #2
ericras CreditAttribution: ericras commentedComment #4
danielb CreditAttribution: danielb commentedThanks for drawing my attention to this. I've implemented an alternate solution which disables that option if the person setting up the field doesn't have that permission, and also if the last user to edit a node doesn't have the permission the PHP won't be executed either.
Comment #5
danielb CreditAttribution: danielb commented