Hi everyone,
I'm the contributor of Search Autocomplete module. It's a module providing autocompletion enhancement in forms on a Drupal website. A form (Search Theme Box, Search Block, etc...) is autocompleted with suggestions (node title, username, taxonomy name, ...).
I do provide some default possible forms and suggestions to use autocompletion "out-of-the-box". But in the new version of the module, I would like admin users to be able to add suggestions to the forms. For instance let's say an admin wants to add all accessible file names stored or attached in the articles of his website. To do, he create a new suggestion:
- give a name
- give the module dependencies: for instance here "upload" module.
- give the SQL query to retrieve the suggestion.
My question is on this third point: to add the suggestion about file names, I need the admin to give me the SQL query for that... and to store it in the DB. You see my question? This is a security issue, how to handle it? Only user with "admin search autocomplete" permission will be able to do so. But its like allowing someone to execute PHP in a article: potentially, there a security problem here.
I can't see how to do without the query from the user. Do you have an idea? Should I just warn during the module installation to CAREFULLY give admin permissions on that module?
DDEV is the official local development tool of Drupal. And like Drupal, DDEV depends on the support of the open source community.
