diff --git a/ctools.module b/ctools.module index accddee..9f5444f 100644 --- a/ctools.module +++ b/ctools.module @@ -438,6 +438,19 @@ function ctools_menu() { } /** + * Implements hook_permission(). + */ +function ctools_permission() { + return array( + 'use ctools import' => array( + 'title' => t('Use CTools importer'), + 'description' => t('The import functionality allows users to execute arbitrary PHP code, so extreme caution must be taken.'), + 'restrict access' => TRUE, + ), + ); +} + +/** * Implementation of hook_cron. Clean up old caches. */ function ctools_cron() { diff --git a/page_manager/page_manager.admin.inc b/page_manager/page_manager.admin.inc index 1fce8fb..59d3e99 100644 --- a/page_manager/page_manager.admin.inc +++ b/page_manager/page_manager.admin.inc @@ -571,8 +571,8 @@ function page_manager_get_operations($page, $operations = NULL) { ), ); - // Restrict variant import to users who can already execute arbitrary PHP - if (user_access('use PHP for settings')) { + // Restrict variant import due to security implications. + if (user_access('use ctools import')) { $result['actions']['children']['import'] = array( 'title' => t('Import variant'), 'description' => t('Add a new variant to this page from code exported from another page.'), @@ -1435,15 +1435,16 @@ function page_manager_handler_import($form, &$form_state) { '#description' => t('Enter the name of the new variant.'), ); - if (user_access('use PHP for settings')) { + if (user_access('use ctools import')) { $form['object'] = array( '#type' => 'textarea', '#title' => t('Paste variant code here'), '#rows' => 15, ); } - // Users ordinarily can't get here without the PHP block visibility perm. - // In case they somehow do, though, disable the form widget for extra safety. + // Users ordinarily can't get here without the 'import' permission, due to + // security implications. In case they somehow do, though, disable the form + // widget for extra safety. else { $form['shoveoff'] = array( '#markup' => '