You are here

Home » API reference » Paranoia 8 » paranoia.module

function paranoia_form_alter in Paranoia 8

Same name and namespace in other branches
  1. 5 paranoia.module \paranoia_form_alter()
  2. 6 paranoia.module \paranoia_form_alter()
  3. 7 paranoia.module \paranoia_form_alter()

Implements hook_form_alter().

Hides forms that allow php arrays for importing to avoid RCE. http://heine.familiedeelstra.com/security/unserialize

File

./paranoia.module, line 275
Disables PHP block visibility permission and gives status error if a role has this permission. Disables the PHP module. Hides the PHP and paranoia modules from the modules page. Prevents user/1 editing which could give access to abitrary contrib…

Code

function paranoia_form_alter(&$form, FormStateInterface $form_state, $form_id) {
  $forms_to_disable = \Drupal::moduleHandler()
    ->invokeAll('paranoia_risky_forms');
  $forms_to_disable = array_combine($forms_to_disable, $forms_to_disable);
  if (array_key_exists($form_id, $forms_to_disable)) {
    $form['#access'] = FALSE;
    $form['#validate'][] = 'paranoia_form_validate_always_fail';
    \Drupal::messenger()
      ->addError(t('This form is disabled for security reasons. See <a href="https://www.drupal.org/node/2313945">details</a> on why this form is disabled.'));
  }
}