im currently using the views reference and passing in arguments with the PHP argument field enabled. There should be an option to disable this from being displayed on the edit pages. This can pose a great security risk if a basic editor has access to this input field. It's best to have an optional checkbox if this can be changed from its default value.

CommentFileSizeAuthor
#1 viewreference-php_perm-2014723-1.patch1.07 KBericras
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

ericras’s picture

Category: feature » bug
Priority: Normal » Major
Status: Active » Needs review
FileSize
1.07 KB

Access to this definitely shouldn't be universal. Here's a very basic patch that uses the core 'use PHP for settings' perm.

The downside with this approach is that anyone who has the 'use PHP for settings' can now grant php access through this viewreference setting.

For something as sensitive as php execution access, this module should probably create its own permission.

ericras’s picture

Title: drupal 7 view reference - PHP argument input should have option to be turned off from being able to be edited. » "Allow PHP code" argument input should be permission restricted

  • danielb committed 369238a on 7.x-3.x
    git commit -m 'Issue #2014723 by ericras: "Allow PHP code" argument...
danielb’s picture

Issue summary: View changes

Thanks for drawing my attention to this. I've implemented an alternate solution which disables that option if the person setting up the field doesn't have that permission, and also if the last user to edit a node doesn't have the permission the PHP won't be executed either.

danielb’s picture

Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.