Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I think a hook_menu_alter to just set access to FALSE would be a good solution. That way there can be a hook that lists pages to disable.
Views is the most obvious example of this feature. What else exists?
Comment | File | Size | Author |
---|---|---|---|
#33 | paranoia-block_additional_forms-2313945-33.patch | 6.57 KB | jmoreira |
| |||
#32 | paranoia-block_additional_forms-2313945-32.patch | 6.57 KB | John Bickar |
| |||
#1 | 2313945_avoid_import_php_forms.patch | 1.44 KB | greggles |
Comments
Comment #1
gregglesOK, here's a proof of concept that works on the views form.
Comment #2
gregglesBetter title.
Comment #3
gregglesComment #6
John Bickar CreditAttribution: John Bickar commentedNote that many of these implement their own permissions and bypass the core PHP permission.
We will look into providing a patch for the specific form fields, but it will be a couple of weeks due to the holidays.
Comment #7
gregglesThanks for documenting them and
I hope you can make time for it - would be very much appreciated!
Comment #8
John Bickar CreditAttribution: John Bickar commentedThis patch hits a few of them. I can't change the issue status.
Comment #9
greggles@John Bickar - when the issue is closed for a while then only a project member can reopen it. Thanks for the patch! I'll try to review soon :)
Comment #11
John Bickar CreditAttribution: John Bickar commentedSome of the modules identified use generic forms that can't be blocked (e.g.,
node_type_form
). But this should get a few more forms and one PHP permission.Comment #12
John Bickar CreditAttribution: John Bickar commentedVBO's "chainsaw mode" can be disabled with this in a hook_form_alter():
I can add that to the patch as well.
Comment #13
gregglesThe patch as is looks good to me. Adding #12 seems good - though I wonder what chainsaw mode is? Thanks.
Comment #14
John Bickar CreditAttribution: John Bickar commented"Execute arbitrary PHP script", AKA, "chainsaw mode" :)
Comment #15
gregglesI like your nickname for it :) I have yet to hurt myself with a chainsaw, but the temptation to risk is strong!
Moving to needs work for that bit.
Comment #16
John Bickar CreditAttribution: John Bickar commentedGo testbot...
Comment #17
John Bickar CreditAttribution: John Bickar commentedOh, huh. There's already code in paranoia.module that should be blocking the VBO chainsaw mode.
Comment #18
John Bickar CreditAttribution: John Bickar commentedOh, I see. In the current
paranoia_form_views_ui_config_item_form_alter()
, the conditional is too restrictive.if ($form['#section'] == 'page-field-views_bulk_operations')
doesn't evaluate to TRUE on every VBO (for example on admin_views_user). The approach that I took in the patch is a much bigger hammer.Comment #19
John Bickar CreditAttribution: John Bickar commentedComment #20
John Bickar CreditAttribution: John Bickar commentedPosting WIP so it doesn't get lost.
Comment #21
John Bickar CreditAttribution: John Bickar commentedComment #22
John Bickar CreditAttribution: John Bickar commentedOK, I think this is ready for review.
The attached patch does the following:
hook_form_FORM_ID_alter()
ctools_export_ui_edit_item_wizard_form
(e.g., Context, Delta, JS Injector, JW Player, OpenLayers, Services)Comment #23
John Bickar CreditAttribution: John Bickar commentedHm. The modules listed in
paranoia_paranoia_disable_modules()
also need to be added inparanoia_paranoia_hide_modules()
, otherwise a user can enable them.Comment #24
John Bickar CreditAttribution: John Bickar commentedOK let's try this.
Comment #25
cashwilliams CreditAttribution: cashwilliams at Acquia commentedI like the direction of this patch. I reviewed the list of modules suggested from #6 and see the few I couldn't confirm were executing PHP (such as openlayers) are not included in this patch.
Additionally I like the idea of disabling the field or form in a few places rather then just blacklisting the entire module from being enabled.
I've skimmed the patch but not had a chance to fully review or test.
Comment #26
John Bickar CreditAttribution: John Bickar commentedBlocking
ctools_export_ui_edit_item_wizard_form
takes care of PHP entry in Context, Delta, JS Injector, JW Player, OpenLayers, Services (they all have Import forms).This issue is conflated a bit with #2059963 but it does not hit everything listed in comment #12 in that issue.
Comment #27
John Bickar CreditAttribution: John Bickar commented@Cash, here is an install profile that contains all the modules. Run
drush make Stanford-Drupal-Profile/make/group.make --force-complete
to build it.Here is a Behat Feature that verifies the changes proposed in this patch.
Comment #28
John Bickar CreditAttribution: John Bickar commentedThe new patch does everything stated in #22, plus it blocks the permission to "restore from backup" (Backup and Migrate).
Comment #29
John Bickar CreditAttribution: John Bickar commentedThe attached patch does the following:
hook_form_FORM_ID_alter()
ctools_export_ui_edit_item_wizard_form
(e.g., Context, Delta, JS Injector, JW Player, OpenLayers, Services)Comment #30
John Bickar CreditAttribution: John Bickar commentedSame as #29, plus blocking the use of PHP in Views Contextual Filters. (See https://www.drupal.org/docs/7/modules/views/views-howtos/php-contextual-...).
I'm also hiding my other patches.
Comment #32
John Bickar CreditAttribution: John Bickar commentedReroll.
Comment #33
jmoreira CreditAttribution: jmoreira at Acquia commentedTested the functionalities mentioned in the patch and almost everything works except the bit with auto_nodetitle: I can still "Evaluate PHP in pattern." with user 1 because auto_nodetitle weight is set to 5 so Paranoia’s form_alter is overridden. It works fine with any other users (even admins), because auto_nodetitle sets #access based on the permission to use php which is hidden by paranoia but user 1 has all permissions by default. I'm not sure what the best fix would be here (just changing Paranoia's weight seem a bit hacky and dangerous?).
I'm also re-submitting the patch without the use of t with variable_get (see documentation here and here for more details).
Comment #34
John Bickar CreditAttribution: John Bickar commented@jmoreira, thanks! (I always get the usage of
t()
wrong invariable_get()
.I think the question of setting Paranoia's weight is a decision for the module maintainers. I would argue in favor of it, as the entire premise of the module is to be "heavy-handed".
Comment #35
John Bickar CreditAttribution: John Bickar commentedI have tested @jmoreira's patch with this suite of Behat tests. It's not a complete suite for the entire functionality of the Paranoia module, but it covers most of the functionality introduced in the patch.
Comment #36
gregglesThanks for all the work and reviews on this!
Regarding weights and a solution for auto_nodetitle - I wonder if paranaoia could just set that whole form to #access = FALSE for uid = 1? That's a bit of a blunt solution, but it would get the point across not to use uid 1 :) Something like that seems like it could/should be a followup, though.
Comment #38
gregglesI think the module space has changed enough that this shouldn't be "ported" to the Drupal 8 version of the module, so I'm going to mark it as fixed. Thanks!
Comment #39
John Bickar CreditAttribution: John Bickar commentedThanks @greggles!