Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When listing theme files I see that all files is Not Editable. So I have a few questions:
- Must I change chmod of theme dir before I'll can use this module?
- If I will change chmod will it safe?
- And if it's so what chmod will be OK?
Thanx...
Comments
Comment #1
arcaneadam CreditAttribution: arcaneadam commented1. Currently you would need to set the chmod of the theme directory to allow the files to be writeable (else how would it edit the files?).
2. What you need to set it to depends on your server and what permissions it runs under. Ideally just setting it to 755 t only allow the user to write to it would be best, but once again completely depends on how your server runs and what it is executing php as.
3. As to whether or not this is considered "safe" is a matter of some debate. Some think that it is not generally a good idea to have anything other then the files folder writeable, I am not necessarily of that mindset, but I am not going to speak to this. One thing you can do is only allow certain files to be writeable, css for example to allow only style changes that can't execute code. Another option is to set the theme folder as writeable only for a short time while you are using the theme editor then change it back.
Once again I am not completely of the mind set that it is unsecure to have the folder writeable.
Comment #2
EllECTRONC CreditAttribution: EllECTRONC commentedI just use it on different servers. And on one of them I did NOT change any permissions, but module is work fine. As I found out later it because this server allow anonymous access to ftp. But another server not allow and I just was confused why module doesn't work on this server.
Thanks for explaining
Comment #3
iantresman CreditAttribution: iantresman commentedOn the page where "Not Editable" is displayed, why not add either:
This would help newbies who may have no idea how to solved the "Not Editable" issue.
Comment #4
iantresman CreditAttribution: iantresman commentedJust a thought, if the selected file is not editable, why not:
Comment #5
Copyfight CreditAttribution: Copyfight commentedI totally agree with iantresman. There is a lack of documentation about this, and the handbook help page is still for Drupal 4.7.
Comment #6
arcaneadam CreditAttribution: arcaneadam commentedThis is an issue I will e addressing when I make some changes to the module. The documentation page on the other hand is inherited from the last project maintainer who wrote the 4.7 module. I simply don't have the time I'd like right now to write that documentation. I am more then happy to allow some users to write to documentation though and contribute it.
Comment #7
Shane Birley CreditAttribution: Shane Birley commentedHi, I wrote the original 4.x and 5.x documentation. I am very happy to update it. Let me see what has changed in this module and write up something new.
Comment #8
Shane Birley CreditAttribution: Shane Birley commentedOne thing I have noticed already about this new module, is that the theme files are being directly edited in their current locations. The original module (4.x and 5.x) would make copies of the themes you wished to edit and move them into the files directory. Is this not the case now? Wouldn't this solve the file permissions issues since (generally speaking) the files directory is writeable by the server - moving a copy of the theme and making those files the active theme still makes sense.
Besides, if you have a multi-site situation, administrators don't want just anyone editing the theme files located in /all/themes.
Comment #9
Shane Birley CreditAttribution: Shane Birley commentedComment #10
Shane Birley CreditAttribution: Shane Birley commentedAfter a little more looking at the module code, I am changing this to a code issue. I don't think this is a permissions issue at all since I believe it is a very dangerous proposition to let the theme editor change the all/themes directory - ever. Making copies of core theme files and moving them into the active website's files directory should be reimplemented into the module. Sure, this interface is Wordpress-like - but Drupal and WordPress do not deal with themes in the same way and this should be thought out much better than currently implemented.
I would consider this module to be a serious security issue around themes since it appears that anyone provided with access can change themes across multiple websites without any consideration for a multi-site environment - and that is a major oversight on the development end. That is why the original 4.x and 5.x modules made copies of the theme files out and copied them from the /all/themes directory and into the files directory of the website being accessed.
If I am wrong, do let me know but I would never recommend anyone changing the permissions on core Drupal files to be writable and allow just anyone to edit the themes directly.
Comment #11
Shane Birley CreditAttribution: Shane Birley commentedComment #12
muhleder CreditAttribution: muhleder commentedAlso, anyone with access to edit themes (and therefore php files) in one site of a multisite environment would be able to gain full access to all other sites running under the same codebase. This would be true for anyone with permission to run arbitrary php code as noted in one of the Drupal multisite handbook pages.
http://drupal.org/getting-started/6/install/multi-site
It would be awesome to be able to use this module to create subthemes (in the files directory?) so that editors wouldn't need the ability to edit php code.
Comment #13
arcaneadam CreditAttribution: arcaneadam commentedAll the talk about security and such are valid points, but to be honest any time you let some one have access to php code they can hijack information from a multisite install. The key there is to not let your untrusted users have php access or theme editing access in this case.
In any case I am working on a serious overhaul of the module that will give it better functionality and security, without modifying the core theme files.
Comment #14
Shane Birley CreditAttribution: Shane Birley commented1. Currently, yes.
2. No.
3. I wouldn't at the moment.
Comment #15
Shane Birley CreditAttribution: Shane Birley commentedLet me know if you require testing and whatnot. I can write up some documentation for it... :)
Comment #16
Shane Birley CreditAttribution: Shane Birley commented