Preventing Drupal Headaches: Permissions and Roles Checklist
-
Upload
acquia -
Category
Technology
-
view
113 -
download
2
description
Transcript of Preventing Drupal Headaches: Permissions and Roles Checklist
PERMISSIONS CHECKLIST
1Friday, January 31, 14
training.acquia.com/events
2Friday, January 31, 14
Who is this for?• New to Drupal?
• Starting a new Drupal site!
• Inherited a new Drupal site and want to know more about configuration
3Friday, January 31, 14
In this demo• Permissions and roles
basics
• Tools for improving security checking
• Common danger zones: WYSIWYG and Views
• Hidden per-module permissions you might miss.
4Friday, January 31, 14
Not in this demo• General security best practices around
external libraries, theming, custom code, etc.drupal.org/security/secure-configuration
• Writing secure codedrupal.org/writing-secure-code
• How to report security issuesdrupal.org/security-team/report-issue
5Friday, January 31, 14
The basics
6Friday, January 31, 14
Add roles
7Friday, January 31, 14
Organize roles
8Friday, January 31, 14
Inherited settings
9Friday, January 31, 14
Permissions to watch• Comment management• Block editing permissions• Menu editing permissions
• Select modules which give you more granular permissions.
10Friday, January 31, 14
Core configuration• Create an “Admin” account for yourself. Use
user/1 when needed.• Comment settings• Content type settings• Contact form settings• Account settings (not under permissions!)
11Friday, January 31, 14
Account settings 1
12Friday, January 31, 14
Account check• Who can create accounts?• Contact form• Signatures• User picture upload?• To delete: Disable accounts and keep
content.
13Friday, January 31, 14
Account settings 2
14Friday, January 31, 14
Two helpful modules!
15Friday, January 31, 14
Security review module
https://drupal.org/project/security_review
16Friday, January 31, 14
Configure untrusted
17Friday, January 31, 14
Review results
18Friday, January 31, 14
Review results
19Friday, January 31, 14
Test as you develop• Create test user accounts for each role.• Use other browsers• Use “incognito mode” in Chrome or other• Use Masquerade
20Friday, January 31, 14
21Friday, January 31, 14
• Not in a live production site. Disable, remove.
Development tool
22Friday, January 31, 14
Masquerade demo • Add test user accounts for each role• Configure the administrators• What users to switch between• Place the block
23Friday, January 31, 14
acquia.com/insight
24Friday, January 31, 14
Modules with specific permissions
Surprise!
25Friday, January 31, 14
What to check?• Any modules which have specific
permissions per role. • Check custom modules. • User Masquerade to check per role abilities.• Check site as anonymous.
26Friday, January 31, 14
Flag• Basic permissions
27Friday, January 31, 14
Flag permissions• Permissions per flag
28Friday, January 31, 14
Webform• Configure per webform
29Friday, January 31, 14
IMCE
30Friday, January 31, 14
Commons - Organic Groups• Content permissions across the site
31Friday, January 31, 14
Commons - Organic Groups• Group-specific permissions
32Friday, January 31, 14
Commons - Organic Groups• Group specific roles
33Friday, January 31, 14
Other modules• Field permissions• Taxonomy access control• Workbench• Many more!
34Friday, January 31, 14
WYSIWYG
35Friday, January 31, 14
WYSIWYG settings
36Friday, January 31, 14
Danger here
37Friday, January 31, 14
Careful
38Friday, January 31, 14
Dangerous tags• SCRIPT, IMG, IFRAME, EMBED, OBJECT,
INPUT, LINK, STYLE, META, FRAMESET, DIV, SPAN, BASE, TABLE, TR, TD.
• Visit https://drupal.org/node/224921• “Configuring text formats (aka input formats)
for security”
39Friday, January 31, 14
Mollom!
40Friday, January 31, 14
Views
41Friday, January 31, 14
Custom admin view
42Friday, January 31, 14
Admin settings
43Friday, January 31, 14
Role permissions? No.
44Friday, January 31, 14
Better than role perms
45Friday, January 31, 14
Choose permission
46Friday, January 31, 14
Recap
47Friday, January 31, 14
https://www.acquia.com/resources/webinars/training-what-consider-writing-your-rfp
48Friday, January 31, 14