diff --git a/modules/php/php.info b/modules/php/php.info index 669a138..37d698b 100644 --- a/modules/php/php.info +++ b/modules/php/php.info @@ -1,5 +1,5 @@ -name = PHP filter -description = Allows embedded PHP code/snippets to be evaluated. +name = PHP +description = Allows permitted users to use custom PHP code in settings. package = Core version = VERSION core = 8.x diff --git a/modules/php/php.install b/modules/php/php.install deleted file mode 100644 index 12944dd..0000000 --- a/modules/php/php.install +++ /dev/null @@ -1,45 +0,0 @@ - 'PHP code'))->fetchField(); - // Add a PHP code text format, if it does not exist. Do this only for the - // first install (or if the format has been manually deleted) as there is no - // reliable method to identify the format in an uninstall hook or in - // subsequent clean installs. - if (!$format_exists) { - $php_format = array( - 'format' => 'php_code', - 'name' => 'PHP code', - // 'Plain text' format is installed with a weight of 10 by default. Use a - // higher weight here to ensure that this format will not be the default - // format for anyone. - 'weight' => 11, - 'filters' => array( - // Enable the PHP evaluator filter. - 'php_code' => array( - 'weight' => 0, - 'status' => 1, - ), - ), - ); - $php_format = (object) $php_format; - filter_format_save($php_format); - - drupal_set_message(t('A PHP code text format has been created.', array('@php-code' => url('admin/config/content/formats/' . $php_format->format)))); - } -} - -/** - * Implements hook_disable(). - */ -function php_disable() { - drupal_set_message(t('The PHP module has been disabled. Any existing content that was using the PHP filter will now be visible in plain text. This might pose a security risk by exposing sensitive information, if any, used in the PHP code.')); -} diff --git a/modules/php/php.module b/modules/php/php.module index 37bf9a1..19d1913 100644 --- a/modules/php/php.module +++ b/modules/php/php.module @@ -2,7 +2,7 @@ /** * @file - * Additional filter for PHP input. + * Allows permitted users to use custom PHP code in settings. */ /** @@ -13,11 +13,11 @@ function php_help($path, $arg) { case 'admin/help#php': $output = ''; $output .= '
' . t('The PHP filter module adds a PHP filter to your site, for use with text formats. This filter adds the ability to execute PHP code in any text field that uses a text format (such as the body of a content item or the text of a comment). PHP is a general-purpose scripting language widely-used for web development, and is the language with which Drupal has been developed. For more information, see the online handbook entry for the PHP filter module.', array('@filter' => url('admin/help/filter'), '@php-net' => 'http://www.php.net', '@php' => 'http://drupal.org/handbook/modules/php/')) . '
'; + $output .= '' . t('The PHP module allows to use PHP code in certain configuration settings to limit actions or content to custom conditions. PHP is a general-purpose scripting language widely-used for web development, and is the language with which Drupal has been developed. For more information, see the online handbook entry for the PHP filter module.', array('@filter' => url('admin/help/filter'), '@php-net' => 'http://www.php.net', '@php' => 'http://drupal.org/handbook/modules/php/')) . '
'; $output .= '' . t('Custom PHP code may be embedded in some types of site content, including posts and blocks. While embedding PHP code inside a post or block is a powerful and flexible feature when used by a trusted user with PHP experience, it is a significant and dangerous security risk when used improperly. Even a small mistake when posting PHP code may accidentally compromise your site.') . '
'; - $output .= '' . t('If you are unfamiliar with PHP, SQL, or Drupal, avoid using custom PHP code within posts. Experimenting with PHP may corrupt your database, render your site inoperable, or significantly compromise security.') . '
'; - $output .= '' . t('Notes:') . '
'; - $output .= 'register_globals
is turned off. If you need to use forms, understand and use the functions in the Drupal Form API.', array('@formapi' => url('http://api.drupal.org/api/group/form_api/7'))) . 'print
or return
statement in your code to output content.') . 'template.php
file rather than embedding it directly into a post or block.') . '' . t('A basic example: Creating a "Welcome" block that greets visitors with a simple message.') . '
'; - $output .= 'Add a custom block to your site, named "Welcome" . With its text format set to "PHP code" (or another format supporting PHP input), add the following in the Block body:
--print t(\'Welcome visitor! Thank you for visiting.\'); -') . '
To display the name of a registered user, use this instead:
--global $user; -if ($user->uid) { - print t(\'Welcome @name! Thank you for visiting.\', array(\'@name\' => format_username($user))); -} -else { - print t(\'Welcome visitor! Thank you for visiting.\'); -} -') . '
' . t('Drupal.org offers some example PHP snippets, or you can create your own with some PHP experience and knowledge of the Drupal system.', array('@drupal' => url('http://drupal.org'), '@php-snippets' => url('http://drupal.org/handbook/customization/php-snippets'))) . '
'; - return $output; - } - else { - return t('You may post PHP code. You should include <?php ?> tags.'); - } -} - -/** - * Implements hook_filter_info(). - * - * Provide PHP code filter. Use with care. - */ -function php_filter_info() { - $filters['php_code'] = array( - 'title' => t('PHP evaluator'), - 'description' => t('Executes a piece of PHP code. The usage of this filter should be restricted to administrators only!'), - 'process callback' => 'php_eval', - 'tips callback' => '_php_filter_tips', - 'cache' => FALSE, - ); - return $filters; -} - diff --git a/modules/php/php.test b/modules/php/php.test index 8ead2ac..ef7dfeb 100644 --- a/modules/php/php.test +++ b/modules/php/php.test @@ -5,116 +5,3 @@ * Tests for php.module. */ -/** - * Base PHP test case class. - */ -class PHPTestCase extends DrupalWebTestCase { - protected $php_code_format; - - function setUp() { - parent::setUp('php'); - - // Create and login admin user. - $admin_user = $this->drupalCreateUser(array('administer filters')); - $this->drupalLogin($admin_user); - - // Verify that the PHP code text format was inserted. - $php_format_id = 'php_code'; - $this->php_code_format = filter_format_load($php_format_id); - $this->assertEqual($this->php_code_format->name, 'PHP code', t('PHP code text format was created.')); - - // Verify that the format has the PHP code filter enabled. - $filters = filter_list_format($php_format_id); - $this->assertTrue($filters['php_code']->status, t('PHP code filter is enabled.')); - - // Verify that the format exists on the administration page. - $this->drupalGet('admin/config/content/formats'); - $this->assertText('PHP code', t('PHP code text format was created.')); - - // Verify that anonymous and authenticated user roles do not have access. - $this->drupalGet('admin/config/content/formats/' . $php_format_id); - $this->assertFieldByName('roles[1]', FALSE, t('Anonymous users do not have access to PHP code format.')); - $this->assertFieldByName('roles[2]', FALSE, t('Authenticated users do not have access to PHP code format.')); - } - - /** - * Create a test node with PHP code in the body. - * - * @return stdObject Node object. - */ - function createNodeWithCode() { - return $this->drupalCreateNode(array('body' => array(LANGUAGE_NONE => array(array('value' => ''))))); - } -} - -/** - * Tests to make sure the PHP filter actually evaluates PHP code when used. - */ -class PHPFilterTestCase extends PHPTestCase { - public static function getInfo() { - return array( - 'name' => 'PHP filter functionality', - 'description' => 'Make sure that PHP filter properly evaluates PHP code when enabled.', - 'group' => 'PHP', - ); - } - - /** - * Make sure that the PHP filter evaluates PHP code when used. - */ - function testPHPFilter() { - // Log in as a user with permission to use the PHP code text format. - $php_code_permission = filter_permission_name(filter_format_load('php_code')); - $web_user = $this->drupalCreateUser(array('access content', 'create page content', 'edit own page content', $php_code_permission)); - $this->drupalLogin($web_user); - - // Create a node with PHP code in it. - $node = $this->createNodeWithCode(); - - // Make sure that the PHP code shows up as text. - $this->drupalGet('node/' . $node->nid); - $this->assertText('print "SimpleTest PHP was executed!"', t('PHP code is displayed.')); - - // Change filter to PHP filter and see that PHP code is evaluated. - $edit = array(); - $langcode = LANGUAGE_NONE; - $edit["body[$langcode][0][format]"] = $this->php_code_format->format; - $this->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save')); - $this->assertRaw(t('Basic page %title has been updated.', array('%title' => $node->title)), t('PHP code filter turned on.')); - - // Make sure that the PHP code shows up as text. - $this->assertNoText('print "SimpleTest PHP was executed!"', t("PHP code isn't displayed.")); - $this->assertText('SimpleTest PHP was executed!', t('PHP code has been evaluated.')); - } -} - -/** - * Tests to make sure access to the PHP filter is properly restricted. - */ -class PHPAccessTestCase extends PHPTestCase { - public static function getInfo() { - return array( - 'name' => 'PHP filter access check', - 'description' => 'Make sure that users who don\'t have access to the PHP filter can\'t see it.', - 'group' => 'PHP', - ); - } - - /** - * Make sure that user can't use the PHP filter when not given access. - */ - function testNoPrivileges() { - // Create node with PHP filter enabled. - $web_user = $this->drupalCreateUser(array('access content', 'create page content', 'edit own page content')); - $this->drupalLogin($web_user); - $node = $this->createNodeWithCode(); - - // Make sure that the PHP code shows up as text. - $this->drupalGet('node/' . $node->nid); - $this->assertText('print', t('PHP code was not evaluated.')); - - // Make sure that user doesn't have access to filter. - $this->drupalGet('node/' . $node->nid . '/edit'); - $this->assertNoRaw('