diff --git a/API.txt b/API.txt index 2df7e22..d095d57 100644 --- a/API.txt +++ b/API.txt @@ -3,6 +3,9 @@ Current API Version: 2.0.5 Please note that the API version is an internal number and does not match release numbers. It is entirely possible that releases will not increase the API version number, and increasing this number too often would burden contrib module maintainers who need to keep up with API changes. This file contains a log of changes to the API. +API Version 2.0.8 +Changed import permissions to use the new 'use ctools import' permission. + API Version 2.0.7 All ctools object cache database functions can now accept session_id as an optional argument to facilitate using non-session id keys. diff --git a/ctools.module b/ctools.module index 7dfc989..b1b2865 100644 --- a/ctools.module +++ b/ctools.module @@ -9,7 +9,7 @@ * must be implemented in the module file. */ -define('CTOOLS_API_VERSION', '2.0.7'); +define('CTOOLS_API_VERSION', '2.0.8'); /** * Test the CTools API version. @@ -438,6 +438,19 @@ function ctools_menu() { } /** + * Implements hook_permission(). + */ +function ctools_permission() { + return array( + 'use ctools import' => array( + 'title' => t('Use CTools importer'), + 'description' => t('The import functionality allows users to execute arbitrary PHP code, so extreme caution must be taken.'), + 'restrict access' => TRUE, + ), + ); +} + +/** * Implementation of hook_cron. Clean up old caches. */ function ctools_cron() { diff --git a/page_manager/page_manager.admin.inc b/page_manager/page_manager.admin.inc index 22ecd63..000b442 100644 --- a/page_manager/page_manager.admin.inc +++ b/page_manager/page_manager.admin.inc @@ -573,8 +573,8 @@ function page_manager_get_operations($page, $operations = NULL) { ), ); - // Restrict variant import to users who can already execute arbitrary PHP - if (user_access('use PHP for settings')) { + // Restrict variant import due to security implications. + if (user_access('use ctools import')) { $result['actions']['children']['import'] = array( 'title' => t('Import variant'), 'description' => t('Add a new variant to this page from code exported from another page.'), @@ -1437,15 +1437,16 @@ function page_manager_handler_import($form, &$form_state) { '#description' => t('Enter the name of the new variant.'), ); - if (user_access('use PHP for settings')) { + if (user_access('use ctools import')) { $form['object'] = array( '#type' => 'textarea', '#title' => t('Paste variant code here'), '#rows' => 15, ); } - // Users ordinarily can't get here without the PHP block visibility perm. - // In case they somehow do, though, disable the form widget for extra safety. + // Users ordinarily can't get here without the 'import' permission, due to + // security implications. In case they somehow do, though, disable the form + // widget for extra safety. else { $form['shoveoff'] = array( '#markup' => '