Files Not Editable Message

1. Currently you would need to set the chmod of the theme directory to allow the files to be writeable (else how would it edit the files?).

2. What you need to set it to depends on your server and what permissions it runs under. Ideally just setting it to 755 t only allow the user to write to it would be best, but once again completely depends on how your server runs and what it is executing php as.

3. As to whether or not this is considered "safe" is a matter of some debate. Some think that it is not generally a good idea to have anything other then the files folder writeable, I am not necessarily of that mindset, but I am not going to speak to this. One thing you can do is only allow certain files to be writeable, css for example to allow only style changes that can't execute code. Another option is to set the theme folder as writeable only for a short time while you are using the theme editor then change it back.

Once again I am not completely of the mind set that it is unsecure to have the folder writeable.

On the page where "Not Editable" is displayed, why not add either:

• A line of text saying "Not Editable" files need to have their permissions changed to allow write access, and a link to a web page explaining how to do this.
• Or a link to the Theme Editor help page where this could be explained in a bit more detail.

This would help newbies who may have no idea how to solved the "Not Editable" issue.

Just a thought, if the selected file is not editable, why not:

• just display the file's contents as a raw text, instead of as an editable area
• and do not display the Save button, since it won't work

I totally agree with iantresman. There is a lack of documentation about this, and the handbook help page is still for Drupal 4.7.

This is an issue I will e addressing when I make some changes to the module. The documentation page on the other hand is inherited from the last project maintainer who wrote the 4.7 module. I simply don't have the time I'd like right now to write that documentation. I am more then happy to allow some users to write to documentation though and contribute it.

Hi, I wrote the original 4.x and 5.x documentation. I am very happy to update it. Let me see what has changed in this module and write up something new.

One thing I have noticed already about this new module, is that the theme files are being directly edited in their current locations. The original module (4.x and 5.x) would make copies of the themes you wished to edit and move them into the files directory. Is this not the case now? Wouldn't this solve the file permissions issues since (generally speaking) the files directory is writeable by the server - moving a copy of the theme and making those files the active theme still makes sense.

Besides, if you have a multi-site situation, administrators don't want just anyone editing the theme files located in /all/themes.

After a little more looking at the module code, I am changing this to a code issue. I don't think this is a permissions issue at all since I believe it is a very dangerous proposition to let the theme editor change the all/themes directory - ever. Making copies of core theme files and moving them into the active website's files directory should be reimplemented into the module. Sure, this interface is Wordpress-like - but Drupal and WordPress do not deal with themes in the same way and this should be thought out much better than currently implemented.

I would consider this module to be a serious security issue around themes since it appears that anyone provided with access can change themes across multiple websites without any consideration for a multi-site environment - and that is a major oversight on the development end. That is why the original 4.x and 5.x modules made copies of the theme files out and copied them from the /all/themes directory and into the files directory of the website being accessed.

If I am wrong, do let me know but I would never recommend anyone changing the permissions on core Drupal files to be writable and allow just anyone to edit the themes directly.

Also, anyone with access to edit themes (and therefore php files) in one site of a multisite environment would be able to gain full access to all other sites running under the same codebase. This would be true for anyone with permission to run arbitrary php code as noted in one of the Drupal multisite handbook pages.

http://drupal.org/getting-started/6/install/multi-site

It would be awesome to be able to use this module to create subthemes (in the files directory?) so that editors wouldn't need the ability to edit php code.

All the talk about security and such are valid points, but to be honest any time you let some one have access to php code they can hijack information from a multisite install. The key there is to not let your untrusted users have php access or theme editing access in this case.

In any case I am working on a serious overhaul of the module that will give it better functionality and security, without modifying the core theme files.

1. Currently, yes.
2. No.
3. I wouldn't at the moment.

Let me know if you require testing and whatnot. I can write up some documentation for it... :)