[EXPORTING] Do not use Role ID in exports/features [#1464130]

Hi,

When workflow is exported or packaged in a feature, it uses role ids to save permissions.
The problem is that roles can also be exported in a feature and will probably have different ids after being reimported.
This can lead to security problems because all permissions are mixed.

If the file workflow.features.inc around line 128 we can read a warning about this issue.
Features module come with some builtin functions and Drupal API provide a user_role_load_by_name function which could allow to use role names instead of rids.

Regards.

Comments

Comment #1

Bastlynn CreditAttribution: Bastlynn commented 12 March 2012 at 19:56

Status:

Active

» Closed (duplicate)

This has been addressed in the latest update on #558378: Make workflows exportable with Features (D6) and has been committed to dev. Thanks :)

Comment #2

DuaelFr

he/him

French

Montpellier, France

CreditAttribution: DuaelFr commented 15 March 2012 at 11:40

No, thank YOU ! :)

Comment #3

kenorb CreditAttribution: kenorb commented 23 September 2014 at 14:52

Category:	Bug report	» Feature request
Issue summary:	View changes
Status:	Closed (duplicate)	» Active

I'm not sure if that ticket solved the problem completely.
Currently the export looks like:

  // Exported workflow: 'Foo'
  $workflows['Foo'] = entity_import('Workflow', '{
    "name" : "Foo",
    "tab_roles" : [],
    "options" : "a:3:{s:16:\\u0022comment_log_node\\u0022;i:0;s:15:\\u0022comment_log_tab\\u0022;i:0;s:13:\\u0022name_as_title\\u0022;i:0;}",
    "states" : {
      "1" : {"sid":"1","wid":"1","weight":"-50","sysid":"1","state":"(creation)","status":"1","name":"(creation)"},
      "2" : {"sid":"2","wid":"1","weight":"0","sysid":"0","state":"live","status":"1","name":"live"},
      "3" : {"sid":"3","wid":"1","weight":"0","sysid":"0","state":"draft","status":"1","name":"draft"},
      "4" : {"sid":"4","wid":"1","weight":"0","sysid":"0","state":"needs_approval","status":"1","name":"needs_approval"},
      "5" : {"sid":"5","wid":"1","weight":"0","sysid":"0","state":"needs_editing","status":"1","name":"needs_editing"},
      "6" : {"sid":"6","wid":"1","weight":"0","sysid":"0","state":"processing_","status":"1","name":"processing_"},
      "7" : {"sid":"7","wid":"1","weight":"0","sysid":"0","state":"expired_","status":"1","name":"expired_"},
      "8" : {"sid":"8","wid":"1","weight":"0","sysid":"0","state":"removed_","status":"1","name":"removed_"}
    },
    "transitions" : {
      "7" : {"tid":"7","sid":"1","target_sid":"4","roles":{"-1":-1,"3":"3"},"wid":"1","name":"10_13","label":""},
      "1" : {"tid":"1","sid":"1","target_sid":"8","roles":{"3":"3"},"wid":"1","name":"10_17","label":""},
      "5" : {"tid":"5","sid":"1","target_sid":"3","roles":{"-1":-1,"3":"3"},"wid":"1","name":"10_12","label":""},
      "6" : {"tid":"6","sid":"1","target_sid":"5","roles":{"3":"3"},"wid":"1","name":"10_14","label":""},
      "2" : {"tid":"2","sid":"1","target_sid":"2","roles":{"3":"3"},"wid":"1","name":"10_11","label":""},
      "4" : {"tid":"4","sid":"1","target_sid":"7","roles":{"3":"3"},"wid":"1","name":"10_16","label":""},
      "3" : {"tid":"3","sid":"1","target_sid":"6","roles":{"3":"3"},"wid":"1","name":"10_15","label":""},
      "40" : {"tid":"40","sid":"2","target_sid":"2","roles":{"-1":-1,"3":"3"},"wid":"1","name":"11_11","label":""},
      "41" : {"tid":"41","sid":"2","target_sid":"3","roles":{"-1":-1,"3":"3"},"wid":"1","name":"11_12","label":""},
      "43" : {"tid":"43","sid":"2","target_sid":"5","roles":{"3":"3"},"wid":"1","name":"11_14","label":""},
      "39" : {"tid":"39","sid":"2","target_sid":"6","roles":{"3":"3"},"wid":"1","name":"11_15","label":""},
      "42" : {"tid":"42","sid":"2","target_sid":"4","roles":{"-1":-1,"3":"3"},"wid":"1","name":"11_13","label":""},
      "35" : {"tid":"35","sid":"3","target_sid":"3","roles":{"-1":-1,"3":"3"},"wid":"1","name":"12_12","label":""},
      "34" : {"tid":"34","sid":"2","target_sid":"8","roles":{"3":"3"},"wid":"1","name":"11_17","label":""},
      "44" : {"tid":"44","sid":"3","target_sid":"6","roles":{"3":"3"},"wid":"1","name":"12_15","label":""},
      "36" : {"tid":"36","sid":"3","target_sid":"4","roles":{"-1":-1,"3":"3"},"wid":"1","name":"12_13","label":""},
      "37" : {"tid":"37","sid":"3","target_sid":"5","roles":{"3":"3"},"wid":"1","name":"12_14","label":""},
      "38" : {"tid":"38","sid":"2","target_sid":"7","roles":{"3":"3"},"wid":"1","name":"11_16","label":""},
      "48" : {"tid":"48","sid":"5","target_sid":"3","roles":{"3":"3"},"wid":"1","name":"14_12","label":""},
      "53" : {"tid":"53","sid":"4","target_sid":"2","roles":{"3":"3"},"wid":"1","name":"13_11","label":""},
      "52" : {"tid":"52","sid":"3","target_sid":"8","roles":{"3":"3"},"wid":"1","name":"12_17","label":""},
      "54" : {"tid":"54","sid":"4","target_sid":"3","roles":{"3":"3"},"wid":"1","name":"13_12","label":""},
      "55" : {"tid":"55","sid":"4","target_sid":"4","roles":{"-1":-1,"3":"3"},"wid":"1","name":"13_13","label":""},
      "56" : {"tid":"56","sid":"5","target_sid":"5","roles":{"-1":-1,"3":"3"},"wid":"1","name":"14_14","label":""},
      "51" : {"tid":"51","sid":"4","target_sid":"5","roles":{"3":"3"},"wid":"1","name":"13_14","label":""},
      "50" : {"tid":"50","sid":"4","target_sid":"6","roles":{"3":"3"},"wid":"1","name":"13_15","label":""},
      "46" : {"tid":"46","sid":"4","target_sid":"7","roles":{"3":"3"},"wid":"1","name":"13_16","label":""},
      "47" : {"tid":"47","sid":"5","target_sid":"2","roles":{"3":"3"},"wid":"1","name":"14_11","label":""},
      "33" : {"tid":"33","sid":"3","target_sid":"2","roles":{"3":"3"},"wid":"1","name":"12_11","label":""},
      "49" : {"tid":"49","sid":"5","target_sid":"4","roles":{"-1":-1,"3":"3"},"wid":"1","name":"14_13","label":""},
      "45" : {"tid":"45","sid":"3","target_sid":"7","roles":{"3":"3"},"wid":"1","name":"12_16","label":""},
      "28" : {"tid":"28","sid":"7","target_sid":"6","roles":{"3":"3"},"wid":"1","name":"16_15","label":""},
      "15" : {"tid":"15","sid":"7","target_sid":"3","roles":{"3":"3"},"wid":"1","name":"16_12","label":""},
      "14" : {"tid":"14","sid":"5","target_sid":"7","roles":{"3":"3"},"wid":"1","name":"14_16","label":""},
      "16" : {"tid":"16","sid":"6","target_sid":"2","roles":{"3":"3"},"wid":"1","name":"15_11","label":""},
      "17" : {"tid":"17","sid":"6","target_sid":"3","roles":{"3":"3"},"wid":"1","name":"15_12","label":""},
      "18" : {"tid":"18","sid":"6","target_sid":"4","roles":{"3":"3"},"wid":"1","name":"15_13","label":""},
      "13" : {"tid":"13","sid":"5","target_sid":"8","roles":{"3":"3"},"wid":"1","name":"14_17","label":""},
      "12" : {"tid":"12","sid":"6","target_sid":"8","roles":{"3":"3"},"wid":"1","name":"15_17","label":""},
      "8" : {"tid":"8","sid":"6","target_sid":"6","roles":{"-1":-1,"3":"3"},"wid":"1","name":"15_15","label":""},
      "9" : {"tid":"9","sid":"6","target_sid":"7","roles":{"3":"3"},"wid":"1","name":"15_16","label":""},
      "10" : {"tid":"10","sid":"7","target_sid":"2","roles":{"3":"3"},"wid":"1","name":"16_11","label":""},
      "11" : {"tid":"11","sid":"6","target_sid":"5","roles":{"3":"3"},"wid":"1","name":"15_14","label":""},
      "19" : {"tid":"19","sid":"7","target_sid":"7","roles":{"-1":-1,"3":"3"},"wid":"1","name":"16_16","label":""},
      "20" : {"tid":"20","sid":"8","target_sid":"5","roles":{"3":"3"},"wid":"1","name":"17_14","label":""},
      "27" : {"tid":"27","sid":"7","target_sid":"5","roles":{"3":"3"},"wid":"1","name":"16_14","label":""},
      "29" : {"tid":"29","sid":"5","target_sid":"6","roles":{"3":"3"},"wid":"1","name":"14_15","label":""},
      "30" : {"tid":"30","sid":"7","target_sid":"8","roles":{"3":"3"},"wid":"1","name":"16_17","label":""},
      "31" : {"tid":"31","sid":"7","target_sid":"4","roles":{"3":"3"},"wid":"1","name":"16_13","label":""},
      "26" : {"tid":"26","sid":"8","target_sid":"2","roles":{"3":"3"},"wid":"1","name":"17_11","label":""},
      "25" : {"tid":"25","sid":"8","target_sid":"3","roles":{"3":"3"},"wid":"1","name":"17_12","label":""},
      "21" : {"tid":"21","sid":"8","target_sid":"4","roles":{"3":"3"},"wid":"1","name":"17_13","label":""},
      "22" : {"tid":"22","sid":"8","target_sid":"6","roles":{"3":"3"},"wid":"1","name":"17_15","label":""},
      "23" : {"tid":"23","sid":"8","target_sid":"7","roles":{"3":"3"},"wid":"1","name":"17_16","label":""},
      "24" : {"tid":"24","sid":"8","target_sid":"8","roles":{"-1":-1,"3":"3"},"wid":"1","name":"17_17","label":""},
      "32" : {"tid":"32","sid":"4","target_sid":"8","roles":{"3":"3"},"wid":"1","name":"13_17","label":""}
    },
    "label" : "Foo",
    "typeMap" : [],
    "wid_original" : "1",
    "system_roles" : {
      "-1" : "(author)",
      "1" : "anonymous user",
      "2" : "authenticated user",
      "3" : "administrator"
    }
  }');

There are lots of numbers hardcoded such as tid, sid, target_sid, roles, wid. Is there any better way of handling it? E.g. via UUID?

Comment #4

kenorb CreditAttribution: kenorb commented 23 September 2014 at 14:55

Comment #5

johnv

Dutch

CreditAttribution: johnv commented 7 October 2014 at 19:30

Title:

Do not use role id in exports/features

» [EXPORTING] Do not use Role ID in exports/features

Comment #6

johnv

Dutch

CreditAttribution: johnv commented 10 October 2014 at 08:03

Status:

Active

» Closed (duplicate)

Please do not open a 3-year old issue.

As far for the ID's in the export: the export is a default CTOOLS/Features export. It contains numeric ID's, but they are all accompanied with machine names. Upon importing (using the Workflow class), the machine names are considered, not the numeric ID's.
Regarding Role Id's, there is a separate issue for Roles in translated sites.