0

I want to create a couple of PHP blocks with me as admin only have the ability to edit

From http://drupal.org/node/1046700:

Important note: There are security considerations in enabling the PHP filter module. The PHP input filter introduces the possibility for malicious users to attack your website with malicious scripts. You should only grant permission to use the PHP filter to people you trust. Also, make sure those you grant permission to are competent PHP coders as malformed code can break your website and stop it functioning altogether. It is a good idea to create a separate role for this module (and other potentially dangerous ones) like 'developer' or 'webmaster', distinct from 'administrator' who may be a Drupal expert but not an expert coder, so you can grant it only to those who fulfill such criteria.

Does this mean there are risks from external attacks, or am I good to add PHP blocks for my use only?

Improve this question
3
  • 1
    Believe the note from drupal is clear enough on this. It's okay, just make sure nobody malicious will EVER EVER EVER access an account with this permission. Commented Feb 28, 2013 at 11:19
  • Dont know why you would I mean the line that doesnt make sense is 'possibility for malicious users to attack your website with malicious scripts' why would you ever give anyone this level of access who would bw likely to trash your site? Commented Feb 28, 2013 at 11:40
  • 1
    It's just meant to scare off people who don't know what they're doing. Some people might not know exactly what PHP is and could be 'easily convinced' to giving people the right to use PHP. Commented Feb 28, 2013 at 11:46

2 Answers 2

Reset to default
1

The relevant part for you is the following one:

You should only grant permission to use the PHP filter to people you trust.

There are always risk of exposing a site to possible attacks when writing code, and in fact the Drupal security team's task is to report security holes to the module maintainers to fix them.
With the PHP filter, the more immediate risk is that users who use it have access to any database table. It would be easy for somebody to change the user account's password, change the ownership of a node, etc.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

They are just making sure you know you can get yourself in trouble if you give just anyone permission to the PHP code text format. They are also warning that if you mess up the PHP, it could mess up the site, no different than if you uploaded a PHP script that wasn't proper.

In people -> permissions, there is a permission "Use the PHP code text format". Make sure only roles you trust to use PHP have access to that. If you are using user 1 to manage your blocks, just leave it with no other roles having that permission. User 1 has permission to everything.

I'd also recommend having a different admin theme to mitigate the potential of a block with bad PHP preventing you from accessing your admin panel.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.