Documentation of hook perm says "The permissions in the array do not need to be wrapped with the function t(), ...".

Wrapping the permission with t() can cause a privilege escalation:

function example_perm() {
  return array(t('administer example'), t('use example'));
}

Now translate 'administer example' into 'use example'. Any user who may 'use example' can now also 'administer example'.

The attached patch (for Drupal 6) says "The permissions in the array must not be wrapped with the function t(), since this could lead to privilege escalation. The string extractor takes care of extracting permission names defined in the perm hook for translation."

The documentation for user_access() could use a similar hint.

Drupal 7 might not be affected because Developers are unlikely to translate array keys.

CommentFileSizeAuthor
#9 310168again.patch1.64 KBarianek
#6 310168again.patch1.52 KBjhodgdon
#5 310168new.patch1.51 KBjhodgdon
#3 310168.patch1.23 KBjhodgdon
hook_perm.patch965 bytestraxer
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

add1sun’s picture

add1sun CreditAttribution: add1sun commented
Project: Documentation » Drupal core
Version: » 6.x-dev
Component: Correction/Clarification » documentation

Moving to correct queue for API docs.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented

I reviewed this, and agree it is a good idea. So I went ahead and committed it to D6 doc (contrib repository).

I think we do need a patch for D7, which I'll attach in a few minutes, because the current wording is misleading.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Version: 6.x-dev » 7.x-dev
FileSize
310168.patch1.23 KB

Here is a patch for D7 to clear up what should and shouldn't be translated. Also fixes 80-character wrapping issue in this function's doc.

Status: Needs review » Needs work

The last submitted patch failed testing.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Status: Needs work » Needs review
FileSize
310168new.patch1.51 KB

Here's a new patch that should apply.

I moved stuff around so that all information pertinent to @return would stay together, and would be at the bottom of the function doc.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
FileSize
310168again.patch1.52 KB

Sorry, I was missing a newline in that patch.

Status: Needs review » Needs work

The last submitted patch failed testing.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Status: Needs work » Needs review

Setting back to Needs Review in hopes that the patch will get retested. The test bot was apparently malfunctioning (I had about 7 patches fail in that time period, all were doc, none broke the HEAD install I am pretty sure).

arianek’s picture

arianek CreditAttribution: arianek commented
FileSize
310168again.patch1.64 KB

applied this patch to D7 HEAD and got:

patching file modules/system/system.api.php
Hunk #1 succeeded at 650 with fuzz 2 (offset 96 lines).

i am not advanced enough to understand the actual issue, but re-rolling the patch for the testing bot.

jhodgdon’s picture

jhodgdon
she/her
Primary language English
CreditAttribution: jhodgdon commented
Issue tags: +Novice

Setting to "Novice", as a novice should be able to review this doc-only patch.

JuliaKM’s picture

JuliaKM CreditAttribution: JuliaKM commented
Status: Needs review » Reviewed & tested by the community

This patch applies cleanly and the description is easy-to-understand.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

Status: Fixed » Closed (fixed)
Issue tags: -Novice

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Novice

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.