Secure permissions for Drupal

Posted on November 22, 2009 by agentrickard

Picture 2Sometimes, you read things on the web and they just stick in your head. Randomly nagging at you to do something about them.

Well, on Friday, I ran across a tweet by @djay75, which I will repost here.

Governments trust plone. There are 5 times as many US gov #plone sites as #drupal, (e.g. FBI, CIA). Why? security

The link takes you to a Plone marketing page, which has this information:

Problem A2: Broken Access Control
How Plone handles this: Plone is based on the well-proven (7 years in production), flexible and granular ACL/roles-based security model of Zope. In addition, Plone utilizes an innovative workflow-based approach to security, which means that end-users never see or modify the security settings — they only work with security presets that have been supplied to them by the developers of the application. This greatly reduces the possibility of misconfigured security settings.

And, having been bitten by this in Drupal a few times, I looked at this line end-users never see or modify the security settings and thought, "Hm, I wonder if you can do that in Drupal?"

Well, of course you can. The original module code took me about 2 hours (thanks to some nice new API features in Drupal 7). I spent another 2-3 hours polishing the documentation and the user interface (making it so you don't accidentally lock yourself out of your own site.) And now, we have the Secure Permissions module for Drupal 7.

I can see this being very helpful in some use-cases, as site permissions and roles can be configured on a development site, then exported to code and loaded onto the production site.

Update: And I just realized, the entire module only has one SQL query in it. Big win for the Drupal APIs. And, for the record, the module is ~ 450 lines of code, probably half of which are comments.

Update 2: I just released the Drupal 6 version today.

Buy the Book

Buy your copy of Drupal 7 Module Development today!

It includes my detailed chapter on Node Access in Drupal 7.

Speaking Engagements

Contact me for availability.


  • agentrickard [at] gmail [dot] com


My Wish List