3.4. Smart Configuration of Core
One of the fastest and easiest ways to make your site insecure is through improper configuration of two specific areas: user permissions and input formats.
3.4.1. User Permissions
As discussed in Chapter 1, user permissions govern the authorization of a role, and roles govern the authorization of users within the role. The page has been compared to a vast sea of check boxes, and with a single errant click, you can create a gaping security hole in your site. Figure 3-7 shows the top of the sea of check boxes.
The two biggest problems with this page are that it is easy for an administrator to accidentally click a check box for an unintended role and that it is often difficult to tell whether it is safe to grant a permission to a role. The best advice to prevent mistakes on this page is to be patient when granting roles and confirm each change you make.
One handy trick is to edit permissions from the path http://example.com/admin/user/permissions/1, which is accessible via http://example.com/admin/user/roles and clicking the links for Edit Permissions. From this role-specific page it is much more difficult to accidentally grant a permission to the wrong role. If you are unsure about what a specific permission, such as "administer books," does, you can search through the code for "administer books," which you will find in all sections of code governed by that permission.
3.4.2. Input Formats and Filters
One of Drupal's great features is the input ...
Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
