You are here

Home » API reference » Secure Permissions 7

README.txt in Secure Permissions 7

Same filename and directory in other branches
  1. 6 README.txt
  2. 7.2 README.txt

README file for Secure Permissions.

File

README.txt
View source 
  1. /**

  2.  * @file

  3.  * README file for Secure Permissions.

  4.  */

  5. 

  6. Secure Permissions

  7. Disables the user interface for creating and assigning roles and permissions.

  8. 

  9. CONTENTS

  10. --------

  11. 1.    Use case

  12. 2.    Installation

  13. 3.    Exporting settings to code

  14. 4.    Configuring the module

  15. 5.    API Hooks

  16. 5.1  hook_secure_permissions_roles()

  17. 5.2  hook_secure_permissions($role)

  18. 6.    To Do

  19. 

  20. Secure Permissions is an advanced security module for Drupal 7. Please

  21. read this document before continuing.

  22. 

  23. This module was inspired by some claims regarding superior security of the

  24. Plone platform. See, in particular, 'Problem A2: Broken Access Control' at

  25. http://plone.org/products/plone/security/overview/security-overview-of-plone

  26. 

  27. The module was inspired by @djay75 via Twitter.

  28. 

  29. ----

  30. 1. Use case

  31. 

  32. This module is designed for cases where you want control of Roles and

  33. Permissions only in a development environment. When fully enabled, this module

  34. will make it so that the live site cannot have its permissions modified, except

  35. through code.

  36. 

  37. It may be sufficient for most users to simply enable this module on the live

  38. site, and to disable it when it is no longer needed.

  39. 

  40. ----

  41. 2. Installation

  42. 

  43. Before installing this module you should configure the site Roles and

  44. Permissions as you see fit. After installing and configuring this module,

  45. changes to these settings can only be made through code.

  46. 

  47. On installation this module will have two immediate effects:

  48. 

  49.   1. Permissions will no longer be editable through the user interface.

  50.   2. Roles will no longer be editable through the user interface.

  51. 

  52. On many sites, this is sufficient. However, for advanced security, you

  53. have several additonal options. See sections 3 and 4 for details.

  54. 

  55. The module will also add a permission to your site, 'Export permission

  56. definitions'. This permission should be given to trusted roles before you

  57. continue.

  58. 

  59. Users with this permissions may configure this module and may export site

  60. Roles and Permissions to code.

  61. 

  62. ----

  63. 3. Exporting settings to code

  64. 

  65. Give your account the 'Export permission definitions' permission defined by the

  66. module or log in as the Site Maintenance user.

  67. 

  68. Find the link under People and Permissions >> Secure Permissions

  69. 

  70. Click the Export Permissions tab. It should take you to a form with two text

  71. areas, filled with PHP code.

  72. 

  73. The Secure permissions module stores the permissions in a module (file) that is

  74. inaccessible through the user interface.

  75. 

  76. You now need to create and enable that module in 4 easy steps.

  77. 

  78.    1. Create directory. cd to /sites/all/modules and issue the command:

  79.        mkdir secure_permissions_data

  80.    2. Create 2 empty files. cd to /sites/all/modules/secure_permissions_data and

  81.        issue the command: touch secure_permissions_data.info secure_permissions_data.module

  82.    3. Copy data. Copy the text from the fields below into the respective files you just

  83.        created using the tools of your choice.

  84.    4. Enable the module. Navigate to admin/build/modules/list and enable your new module.

  85. 

  86. To change permissions with the module enabled, you must now edit your

  87. secure_permissions_data.module file.

  88. 

  89. Now you are ready to configure the Secure Permissions module to run.

  90. 

  91. After editing the file navigate to /admin/user/secure_permissions/view, select

  92. 'Load permissions from code'and click 'Save configuration' to update the permissions.

  93. 

  94. You may rename the module; remember to rename all the functions.

  95. 

  96. Note that if you have set an administrative role, the permissions for that role will not

  97. be exported.

  98. 

  99. ----

  100. 4. Configuring the module

  101. 

  102. For advanced features of this module, you must export your Roles and Permissions

  103. to code. Since this cannot be done before the module is installed, the module

  104. will not enforce its rules until you tell it to do so.

  105. 

  106. To activate the module, navigate to:

  107. 

  108.   Administer > Configuration and Modules > People and Permissions > Secure

  109.   Permissions

  110. 

  111. Here, you can tell the Secure Permissions module how to behave. You have eight

  112. options that can be set. These are split into two groups, those that control the

  113. User Interface of Drupal, and those that affect how permissions are loaded from

  114. code via the API.

  115. 

  116.   USER INTERFACE SETTINGS

  117. 

  118.   'Disable permissions and roles forms'

  119.   Check to make the Roles and Permissions forms unchangeable. Users may

  120.   be able to view them, but cannot edit or submit them. Default is OFF.

  121.   You should enable this setting after granting your account the ability to

  122.   access 'Export permission definitions'.

  123. 

  124.   'Show permissions page'

  125.   Check to allow the Permissions page to be viewed by administrators.

  126.   Disabling this option will prevent users from seeing permission definitions

  127.   at all. Default is ON.

  128. 

  129.   'Show roles page'

  130.   Check to allow the Roles page to be viewed by administrators.

  131.   Disabling this option will prevent users from seeing role definitions

  132.   at all. Default is ON.

  133. 

  134.   'Display permissions updates'

  135.   Check to display messages when Secure Permissions reset site permissions.

  136.   Default is ON.

  137. 

  138.   API SETTINGS

  139. 

  140.   'Load permissions from code'

  141.   Check to activate the module's advanced features.

  142.   When set, the module will rebuild Roles and Permissions every time that

  143.   a module is enabled or disabled. Checking this option means that all

  144.   site Roles and Permissions will be managed in code. Default is OFF.

  145. 

  146.   NOTE: none of the following settings will be in effect if 'Load permissions

  147.   from code' is not enabled. Using these features is not required, however.

  148. 

  149.   'Reload default permissions on rebuild'

  150.   Check to have the module load Drupal's default permissions for the anonymous

  151.   and authenticated user roles when permissions are rebuilt. Default is OFF.

  152. 

  153.   'Use administrative role'

  154.   Check to include an administrative role from the site.

  155.   The 'administrator' role ships with Drupal, and has all site permissions. If

  156.   you uncheck this option, this role will be deleted. Default is ON.

  157. 

  158.   'Administrative role name'

  159.   Set to the name of the administrative role you wish to use.

  160.   If 'Use administrative role' is disabled, this value is not used.

  161.   Default is 'administrator'. Normally, you should not change this value.

  162.   NOTE: If using translations, this string should not be translated through

  163.   this setting.

  164. 

  165. ----

  166. 5. API hooks

  167. 

  168. The module functions by using two API hooks, described below. To use these

  169. functions you must place them in a custom module file and name them properly.

  170. 

  171. The export function will generate these hooks for you. The API is described

  172. here for developers.

  173. 

  174. ----

  175. 5.1 hook_secure_permissions_roles()

  176. 

  177. Defines the roles used by a site. These are keyed by the uniqueness of the role

  178. name, since we cannot guarantee the role id used by various sites.

  179. 

  180. WARNING: If you do not implement this hook, the module will reset your site

  181. roles to the roles that ship with Drupal's default install.

  182. 

  183. Note that the module implements this hook to ensure that the 'anonymous user'

  184. and 'authenticated user' roles always exist.

  185. 

  186. If the 'Use administrative role' is set to TRUE, the module will also maintain

  187. an administrative role that has all site permissions.

  188. 

  189. The hook returns a simple positional array of unique role names.

  190. 

  191.   function example_secure_permissions_roles() {

  192.     return array(

  193.       'editor',

  194.       'producer',

  195.     );

  196.   }

  197. 

  198. ----

  199. 5.2 hook_secure_permissions($role)

  200. 

  201. Defines the permissions assigned to each role. Typically, you will implement

  202. all permissions for your site in this hook.

  203. 

  204. This hook takes a $role string as an argument. You should respond with the

  205. appropriate permissions grants for that role. You should only return grants

  206. that are TRUE.

  207. 

  208.   function example_secure_permissions($role) {

  209.     $permissions = array(

  210.       'anonymous user' => array(

  211.         'access content',

  212.         'use text format 1',

  213.       ),

  214.       'authenticated user' => array(

  215.         'access comments',

  216.         'access content',

  217.         'post comments',

  218.         'post comments without approval',

  219.         'use text format 1',

  220.       ),

  221.       'editor' => array(

  222.         'bypass node access',

  223.         'administer nodes',

  224.       ),

  225.       'producer' => array(

  226.         'create page content',

  227.         'edit any page content',

  228.       ),

  229.     );

  230.     if (isset($permissions[$role])) {

  231.       return $permissions[$role];

  232.     }

  233.   }

  234. 

  235. 

  236. NOTE: The use of isset() is recommended here, since the hook will fire

  237. once per role, and it is possible that your module will not reply in all cases.

  238. 

  239. NOTE: If configured to do so, the module will return the default permissions

  240. defined by Drupal's installer. Disable the 'Reload default permissions on

  241. rebuild' setting to disable this behavior.