Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
im currently using the views reference and passing in arguments with the PHP argument field enabled. There should be an option to disable this from being displayed on the edit pages. This can pose a great security risk if a basic editor has access to this input field. It's best to have an optional checkbox if this can be changed from its default value.
Comment | File | Size | Author |
---|---|---|---|
#1 | viewreference-php_perm-2014723-1.patch | 1.07 KB | ericras |
Comments
Comment #1
ericras CreditAttribution: ericras commentedAccess to this definitely shouldn't be universal. Here's a very basic patch that uses the core 'use PHP for settings' perm.
The downside with this approach is that anyone who has the 'use PHP for settings' can now grant php access through this viewreference setting.
For something as sensitive as php execution access, this module should probably create its own permission.
Comment #2
ericras CreditAttribution: ericras commentedComment #4
danielb CreditAttribution: danielb commentedThanks for drawing my attention to this. I've implemented an alternate solution which disables that option if the person setting up the field doesn't have that permission, and also if the last user to edit a node doesn't have the permission the PHP won't be executed either.
Comment #5
danielb CreditAttribution: danielb commented