- 🇭🇺Hungary Gábor Hojtsy Hungary
Now that this is a contributed project, sites can remove it from their codebase. I think the issue dates back to being a core module.
In some high-security drupal environments, systems administrators do not like any users, even trusted users, from being able to submit arbitrary PHP code for evaluation. A typical environment where this would be a concern would be one where there is not system-level separation of Drupal sites, but users are allowed to login as user 1 to these sites. Custom code and contrib modules can be audited ahead of time, but there is no good mechanism to validate that user-submitted PHP code is not malicious.
Drupal core provides the php module to centralize the ability to disable PHP evaluation. Disabling this module from being enabled is easy to do using several methods. However, contrib modules do not adhere to a central method of allowing this functionality, and systems administrators that do not wish to allow user-submitted PHP (from even uid 1) are left with a limited set of modules to choose from.
To provide a system-wide method of disabling custom PHP from being eval'd multiple steps need to occur
Views uses a novel approach where it looks for the core PHP filter permission being set before allowing a user to submit PHP. This essentially reduces the sysadmin's job to figuring out a method of disallowing a single module from being enabled. However, the behavior is somewhat counter-intuitive since the real PHP filter isn't being used.
Many other modules, however, do not use this paradigm and it is left up to the sysadmin to disable each method individually. A possible method would be to create a setting in settings.php that contrib modules can key off to do disable their PHP eval functionality if the setting is found.
Closed: works as designed
1.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Now that this is a contributed project, sites can remove it from their codebase. I think the issue dates back to being a core module.