Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
As exported relation type is PHP code, the import has security implications.
The 'administer relation types' permission currently used for the relation type import menu item, does not mark it as such.
solutions:
- add 'restrict access' = TRUE to 'administer relation types' permission
- create new permission and add 'restrict access' = TRUE
- do the access check as views module: user_access('administer relation types') && user_access('use PHP for settings')
Comment | File | Size | Author |
---|---|---|---|
#7 | 1372854-7.patch | 1.54 KB | mikran |
Comments
Comment #1
mikran CreditAttribution: mikran commentedI think it's best to wait for the ctools solution, likely a new permission, from the linked issue.
Comment #2
naught101 CreditAttribution: naught101 commentedAccording to #1372850: Harden access check for flag import, there is a new "use ctools import" permission that flag is using. Any reason why we shouldn't do the same?
Comment #3
mikran CreditAttribution: mikran commentedYes,
use ctools import
permission is in the current patch in #870938: Add new permission for controlling imports but that has not been committed to ctools yet.Comment #4
mikran CreditAttribution: mikran commentedComment #5
mikran CreditAttribution: mikran commentedCtools issue is still not in so if we want a stable 1.0 relation we have to go alternate route. Flag module did
use flag import
so based on that I think we should add ause relation import
permission.Comment #6
mikran CreditAttribution: mikran commentedComment #7
mikran CreditAttribution: mikran commentedComment #9
Leeteq CreditAttribution: Leeteq commentedThat related cTools issue is now RTBC, perhaps it just needs some more heads up in order to be committed.
Comment #11
mikran CreditAttribution: mikran commentedAnd that's in, so we will use it.
Comment #12
mikran CreditAttribution: mikran commentedComment #15
mikran CreditAttribution: mikran commented#2400705: Outdated version of dependencies are installed on the test-infrastructure this happens here too
Comment #25
mikran CreditAttribution: mikran commentedActually it makes no sense to use a permission from ctools as ctools is not even needed to import relation types. So the patch from #7 is correct after all.
Comment #27
mikran CreditAttribution: mikran commented