Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.1. Enabling the module Variable en sub module variable_realm and module Features
3. Create a new Feature admin/structure/features/create
2. Select under 'Realm variables' : 'Global: All variables'
3. 'drupal_private_key' is now exported into an .inc file
Part of exported file:
<?php
/**
* @file
* mysite_feature.variable.inc
*/
/**
* Implements hook_variable_realm_default_variables().
*/
function mysite_feature_variable_realm_default_variables() {
$realm_variables = array();
$realm_variables['global']['default'] = array(
'theme_default' => 'mysite',
'cron_key' => 'mSXOL9I5sQDo3Z68LDMntwT6N110Y6YagpjLCfUd3-c',
'drupal_private_key' => 'UrBkLB45AUWHfLt7sV0GCiN6wJhmKrdLcU8Wp8Zqk6Q',
'filter_fallback_format' => 'plain_text',
'date_api_version' => 7.2,
...
From DavidR
My two cents: I've always been under the impression that if you write sensitive code (and I think exporting a Feature counts as "writing code") it's your responsibility to make sure your server is blocking access to it. And as Jose Reyero noted above, the default .htaccess file shipped with Drupal core does its best to help you do that.
So I would vote for moving this discussion to the public issue queue.
The security team is ok with this being public.
Comments