Secure permissions for Drupal

22 November 2009

Well, on Friday, I ran across a tweet by @djay75, which I will repost here.

Picture 2Sometimes, you read things on the web and they just stick in your head. Randomly nagging at you to do something about them.

Governments trust plone. There are 5 times as many US gov #plone sites as #drupal, (e.g. FBI, CIA). Why? security

The link takes you to a Plone marketing page, which has this information:

Problem A2: Broken Access Control

How Plone handles this: Plone is based on the well-proven (7 years in production), flexible and granular ACL/roles-based security model of Zope. In addition, Plone utilizes an innovative workflow-based approach to security, which means that end-users never see or modify the security settings — they only work with security presets that have been supplied to them by the developers of the application. This greatly reduces the possibility of misconfigured security settings.

And, having been bitten by this in Drupal a few times, I looked at this line end-users never see or modify the security settings and thought, "Hm, I wonder if you can do that in Drupal?"

Well, of course you can. The original module code took me about 2 hours (thanks to some nice new API features in Drupal 7). I spent another 2-3 hours polishing the documentation and the user interface (making it so you don't accidentally lock yourself out of your own site.) And now, we have the Secure Permissions module for Drupal 7.

I can see this being very helpful in some use-cases, as site permissions and roles can be configured on a development site, then exported to code and loaded onto the production site.

Update: And I just realized, the entire module only has one SQL query in it. Big win for the Drupal APIs. And, for the record, the module is ~ 450 lines of code, probably half of which are comments.Update 2: I just released the Drupal 6 version today.