Change record status: 
Project: 
Introduced in branch: 
7.x
Introduced in version: 
7.50
Description: 

In Drupal 7 there was previously no dedicated permission to restrict administrative users from being able to use the field UI. This had security implications: any user with the "administer taxonomy" permission, for example, could add and delete fields on taxonomy terms as well as edit descriptions, labels etc. There have been numerous security advisories where vulnerabilities were fixed that were caused by access to the field UI. Therefore, access to the field UI is now protected with a new "administer fields" permission which should only be assigned to trusted user roles.

With Drupal 7.50 and above the new "administer fields" permission is required in addition to other administrative permissions to access the field UI.

Example for the node field UI:

  • Permissions required before 7.50: "administer content types"
  • Permissions required since 7.50: "administer content types" AND "administer fields"

Example for the taxonomy term field UI:

  • Permissions required before 7.50: "administer taxonomy"
  • Permissions required since 7.50: "administer taxonomy" AND "administer fields"

Notes for site builders and administrators

The database updates included with Drupal 7.50 automatically assign the new "administer fields" permission to any role that already has the "administer site configuration", "administer content types", or "administer users" permissions. This should allow most site administrators to continue using the field UI uninterrupted.

Any other user roles that are trusted and that should have access to the field UI must be granted the "administer fields" permission manually after updating to Drupal 7.50.

Notes for module developers

This change will likely break some contributed module automated tests. The solution is to update the tests to assign the "administer fields" permission to the appropriate test users.

For modules that provide entity types and that display a custom UI with "Manage fields" or "Manage display" links, this change might cause a minor problem in which the links are shown to some users who do not have permission to administer fields (and who will get an "access denied" message after clicking on them). For an example of how to fix this see #2735841: Update File Entity to avoid broken administrative links with the new core "administer fields" permission.

Notes for installation profile developers

Profiles that intend to grant the ability to administer fields to roles other than the built-in administrator role will need to update their profile install code to assign these roles the "administer fields" permission directly.

Impacts: 
Site builders, administrators, editors
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done

Comments

nevergone’s picture

7.50? Not 7.44?

Drupal, Git, Docker, Linux, PHP…

C13L0’s picture

The release that includes this will probably be labeled Drupal 7.50 to indicate it contains some big changes (including this issue).

https://www.drupal.org/node/611294#comment-11240103

Cake, and grief counseling, will be available at the conclusion of the test

nevergone’s picture

Related commit: http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=c3bf7484b38a1821c1631...
Branch 7.x, after 7.43 and before 7.44

Drupal, Git, Docker, Linux, PHP…