diff --git a/API.txt b/API.txt index 2df7e22..d095d57 100644 --- a/API.txt +++ b/API.txt @@ -3,6 +3,9 @@ Current API Version: 2.0.5 Please note that the API version is an internal number and does not match release numbers. It is entirely possible that releases will not increase the API version number, and increasing this number too often would burden contrib module maintainers who need to keep up with API changes. This file contains a log of changes to the API. +API Version 2.0.8 +Changed import permissions to use the new 'use ctools import' permission. + API Version 2.0.7 All ctools object cache database functions can now accept session_id as an optional argument to facilitate using non-session id keys. diff --git a/ctools.module b/ctools.module index 7dfc989..b1b2865 100644 --- a/ctools.module +++ b/ctools.module @@ -9,7 +9,7 @@ * must be implemented in the module file. */ -define('CTOOLS_API_VERSION', '2.0.7'); +define('CTOOLS_API_VERSION', '2.0.8'); /** * Test the CTools API version. @@ -438,6 +438,19 @@ function ctools_menu() { } /** + * Implements hook_permission(). + */ +function ctools_permission() { + return array( + 'use ctools import' => array( + 'title' => t('Use CTools importer'), + 'description' => t('The import functionality allows users to execute arbitrary PHP code, so extreme caution must be taken.'), + 'restrict access' => TRUE, + ), + ); +} + +/** * Implementation of hook_cron. Clean up old caches. */ function ctools_cron() { diff --git a/page_manager/page_manager.admin.inc b/page_manager/page_manager.admin.inc index 22ecd63..000b442 100644 --- a/page_manager/page_manager.admin.inc +++ b/page_manager/page_manager.admin.inc @@ -573,8 +573,8 @@ function page_manager_get_operations($page, $operations = NULL) { ), ); - // Restrict variant import to users who can already execute arbitrary PHP - if (user_access('use PHP for settings')) { + // Restrict variant import due to security implications. + if (user_access('use ctools import')) { $result['actions']['children']['import'] = array( 'title' => t('Import variant'), 'description' => t('Add a new variant to this page from code exported from another page.'), @@ -1437,15 +1437,16 @@ function page_manager_handler_import($form, &$form_state) { '#description' => t('Enter the name of the new variant.'), ); - if (user_access('use PHP for settings')) { + if (user_access('use ctools import')) { $form['object'] = array( '#type' => 'textarea', '#title' => t('Paste variant code here'), '#rows' => 15, ); } - // Users ordinarily can't get here without the PHP block visibility perm. - // In case they somehow do, though, disable the form widget for extra safety. + // Users ordinarily can't get here without the 'import' permission, due to + // security implications. In case they somehow do, though, disable the form + // widget for extra safety. else { $form['shoveoff'] = array( '#markup' => '
' . t('You do not have sufficient permissions to perform this action.') . '
', @@ -1459,7 +1460,7 @@ function page_manager_handler_import($form, &$form_state) { * Make sure that an import actually provides a handler. */ function page_manager_handler_import_validate($form, &$form_state) { - if (!user_access('use PHP for settings')) { + if (!user_access('use ctools import')) { form_error($form['shoveoff'], t('You account permissions do not permit you to import.')); return; } diff --git a/page_manager/plugins/tasks/page.admin.inc b/page_manager/plugins/tasks/page.admin.inc index 69ac02d..c5d3835 100644 --- a/page_manager/plugins/tasks/page.admin.inc +++ b/page_manager/plugins/tasks/page.admin.inc @@ -38,7 +38,7 @@ function page_manager_page_menu(&$items, $task) { ) + $base; if ($access_callback == 'user_access') { $items['admin/structure/pages/import']['access callback'] = 'ctools_access_multiperm'; - $items['admin/structure/pages/import']['access arguments'][] = 'use PHP for settings'; + $items['admin/structure/pages/import']['access arguments'][] = 'use ctools import'; } // AJAX callbacks for argument modal. diff --git a/plugins/export_ui/ctools_export_ui.class.php b/plugins/export_ui/ctools_export_ui.class.php index d326dd9..8525b6f 100644 --- a/plugins/export_ui/ctools_export_ui.class.php +++ b/plugins/export_ui/ctools_export_ui.class.php @@ -121,7 +121,7 @@ class ctools_export_ui { switch ($op) { case 'import': - return user_access('use PHP for settings'); + return user_access('use ctools import'); case 'revert': return ($item->export_type & EXPORT_IN_DATABASE) && ($item->export_type & EXPORT_IN_CODE); case 'delete':