preventing drupal headaches: permissions and roles checklist

PERMISSIONS CHECKLIST

1Friday, January 31, 14

training.acquia.com/events

2Friday, January 31, 14

Who is this for?• New to Drupal?

• Starting a new Drupal site!

• Inherited a new Drupal site and want to know more about configuration

3Friday, January 31, 14

In this demo• Permissions and roles

basics

• Tools for improving security checking

• Common danger zones: WYSIWYG and Views

• Hidden per-module permissions you might miss.

4Friday, January 31, 14

Not in this demo• General security best practices around

external libraries, theming, custom code, etc.drupal.org/security/secure-configuration

• Writing secure codedrupal.org/writing-secure-code

• How to report security issuesdrupal.org/security-team/report-issue

5Friday, January 31, 14

The basics

6Friday, January 31, 14

Add roles

7Friday, January 31, 14

Organize roles

8Friday, January 31, 14

Inherited settings

9Friday, January 31, 14

Permissions to watch• Comment management• Block editing permissions• Menu editing permissions

• Select modules which give you more granular permissions.

10Friday, January 31, 14

Core configuration• Create an “Admin” account for yourself. Use

user/1 when needed.• Comment settings• Content type settings• Contact form settings• Account settings (not under permissions!)

11Friday, January 31, 14

Account settings 1

12Friday, January 31, 14

Account check• Who can create accounts?• Contact form• Signatures• User picture upload?• To delete: Disable accounts and keep

content.

13Friday, January 31, 14

Account settings 2

14Friday, January 31, 14

Two helpful modules!

15Friday, January 31, 14

Security review module

https://drupal.org/project/security_review

16Friday, January 31, 14

Configure untrusted

17Friday, January 31, 14

Review results

18Friday, January 31, 14

Review results

19Friday, January 31, 14

Test as you develop• Create test user accounts for each role.• Use other browsers• Use “incognito mode” in Chrome or other• Use Masquerade

20Friday, January 31, 14

21Friday, January 31, 14

• Not in a live production site. Disable, remove.

Development tool

22Friday, January 31, 14

Masquerade demo • Add test user accounts for each role• Configure the administrators• What users to switch between• Place the block

23Friday, January 31, 14

acquia.com/insight

24Friday, January 31, 14

Modules with specific permissions

Surprise!

25Friday, January 31, 14

What to check?• Any modules which have specific

permissions per role. • Check custom modules. • User Masquerade to check per role abilities.• Check site as anonymous.

26Friday, January 31, 14

Flag• Basic permissions

27Friday, January 31, 14

Flag permissions• Permissions per flag

28Friday, January 31, 14

Webform• Configure per webform

29Friday, January 31, 14

IMCE

30Friday, January 31, 14

Commons - Organic Groups• Content permissions across the site

31Friday, January 31, 14

Commons - Organic Groups• Group-specific permissions

32Friday, January 31, 14

Commons - Organic Groups• Group specific roles

33Friday, January 31, 14

Other modules• Field permissions• Taxonomy access control• Workbench• Many more!

34Friday, January 31, 14

WYSIWYG

35Friday, January 31, 14

WYSIWYG settings

36Friday, January 31, 14

Danger here

37Friday, January 31, 14

Careful

38Friday, January 31, 14

Dangerous tags• SCRIPT, IMG, IFRAME, EMBED, OBJECT,

INPUT, LINK, STYLE, META, FRAMESET, DIV, SPAN, BASE, TABLE, TR, TD.

• Visit https://drupal.org/node/224921• “Configuring text formats (aka input formats)

for security”

39Friday, January 31, 14

Mollom!

40Friday, January 31, 14

Views

41Friday, January 31, 14

Custom admin view

42Friday, January 31, 14

Admin settings

43Friday, January 31, 14

Role permissions? No.

44Friday, January 31, 14

Better than role perms

45Friday, January 31, 14

Choose permission

46Friday, January 31, 14

Recap

47Friday, January 31, 14

https://www.acquia.com/resources/webinars/training-what-consider-writing-your-rfp

48Friday, January 31, 14