Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
That fix for vertical tabs is unrelated to this issue and the bug was introduced elsewhere, but it's required to not break all JavaScript on the page. (empty vertical tabs)
Comment | File | Size | Author |
---|---|---|---|
#25 | administer-filters-followup-679530-25.patch | 5.99 KB | David_Rothstein |
#17 | drupal.filter-admin-access.17.patch | 6.63 KB | sun |
#16 | drupal.filter-admin-access.16.patch | 5.65 KB | sun |
#5 | drupal.filter-admin-access.5.patch | 5.61 KB | sun |
#3 | drupal.filter-admin-access.3.patch | 5.69 KB | sun |
Comments
Comment #2
sunAll but one of those failures indicate that not even Drupal core developers get filter permissions right.
Comment #3
sunComment #5
sunComment #8
sunGreen!
Comment #9
catchDo we really have to use filter_permission_name(2); here? Looks really, really odd and makes our core test reliance on default.profile worse. Otherwise looks fine though.
Comment #10
sunUnfortunately yes, since we didn't manage to (also) tackle #573852: Rename {filter_format}.name to .title and replace .format with machine-readable .name for D7.
Comment #11
catchFair enough. We're not going to change the default proile dependency for tests in D7 either.
Comment #12
webchickHm. I guess I'm one of those core developers, because I don't quite understand this patch from the description. In every other case "administer X" means "exempt from permission checking." This patch seems to break that mold?
Comment #13
sunValid question. However, we need to compare apples with apples. Other modules having a "administer X" permission do not use a granular per-item permission model. The only remotely related permission scenario is Node module's. And Node module rightfully provides a "bypass node access" permission, which takes it to the point. One of the major risks involved with the current auto-grant to all formats is that novice/regular site admins just see that they can access a certain text format, but someone else may complain not being able to. The shortest path to resolve the problem? Grant the "administer filters" permission. (KISS, with strong focus on 'stupid'.)
Comment #14
webchickHmmm. Yeah, I guess I can see that argument. I think it will cause its fair share of WTFs, but then again we have several hundred thousand documented cases of people screwing up text format configuration, and getting your site compromised is a much bigger WTF. :P~
I gotta run to supper, but I'll commit this later.
Comment #15
David_Rothstein CreditAttribution: David_Rothstein commentedYeah, I think this is a good idea. In addition to security, there is also a convenience aspect - just because I have "administer filters" doesn't necessarily mean I want every single text format on the site showing up in my dropdown with no way to remove them.
Comments on the patch:
I believe this test (and the others like it) will fail if run on a machine that has a database auto-increment not set to 1. Rather than hardcoding the integer, can't we do something like what the PHP module tests do in this situation? They do this:
Yes, it's ugly also :) But it works and is more readable.
Why remove the security warning? This is still a very, very dangerous permission.
OK, so actually, the security warning there is totally wrong to begin with - it should say the standard "Warning: Give to trusted roles only; this permission has security implications." (See my comment at #620446-16: Rewrite permission titles and descriptions.) We could probably just fix it as part of this patch - but either way, I don't see why it should be removed.
What is the reason for this change? In general I thought we try not to do this kind of thing - we either do object or ID, but not both.
I don't see why it's needed here except that the tests in the patch do
filter_permission_name(2)
; however, they could just as easily dofilter_permission_name(filter_format_load(2))
which is what is already done in other tests.Comment #16
sunFirst of all, straight re-roll against HEAD. Will try to tackle the review issues now.
Comment #17
sunAttached patch accounts for all review issues, except:
5) I don't support auto-granting permissions. For one, we have a shiny new admin role feature in D7 already. Second, when creating a new text format, the first visible option is a list of user role checkboxes - more than sufficient.
RTBC + 1 critical less? :)
Comment #19
sun#17: drupal.filter-admin-access.17.patch queued for re-testing.
Comment #21
sun#17: drupal.filter-admin-access.17.patch queued for re-testing.
Comment #22
sunFinal review and/or RTBC, anyone?
Comment #23
cosmicdreams CreditAttribution: cosmicdreams commentedI'll have some time to test this tomorrow sun. Subscribing.
Comment #24
Dries CreditAttribution: Dries commentedLooks good. Committed to CVS HEAD.
Comment #25
David_Rothstein CreditAttribution: David_Rothstein commentedThe wording here is inconsistent with the other permission warnings in core.
Here and elsewhere, the variable name shouldn't run words together; i.e., it should be $full_html_format.
Hm? What I am suggesting is that we actually USE the shiny new admin role feature here, rather than letting it be ignored :) And auto-checking a checkbox is not the same as auto-granting a permission...
To clarify, the admin role only gets new permissions automatically when a module is enabled, not when new dynamic permissions appear. That is a technical limitation, but from a user experience perspective it is not good - the average site administrator is not going to want to remember to have to check boxes for their admin role in some cases but not others. (Content type permissions theoretically have this issue too, when adding a new content type, but it's mitigated via the 'bypass node access' permission; here, though, we have removed the equivalent of the 'bypass text format access' permission, which is why we need to do something else or the experience of adding a new text format won't make sense.)
We need to make sure that administering a site using the admin role simple - but the patch committed here just made it harder. Auto-checking the checkbox fixes that for the 90% use case (and the other 10% can easily and conveniently uncheck the box).
I've addressed the above three issues in the attached patch.
Comment #26
sunok, now I understood what you meant :) Looks good, thanks!
Comment #27
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks.