48
PERMISSIONS CHECKLIST 1 Friday, January 31, 14

Preventing Drupal Headaches: Permissions and Roles Checklist

  • Upload
    acquia

  • View
    112

  • Download
    2

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Preventing Drupal Headaches: Permissions and Roles Checklist

PERMISSIONS CHECKLIST

1Friday, January 31, 14

Page 2: Preventing Drupal Headaches: Permissions and Roles Checklist

training.acquia.com/events

2Friday, January 31, 14

Page 3: Preventing Drupal Headaches: Permissions and Roles Checklist

Who is this for?• New to Drupal?

• Starting a new Drupal site!

• Inherited a new Drupal site and want to know more about configuration

3Friday, January 31, 14

Page 4: Preventing Drupal Headaches: Permissions and Roles Checklist

In this demo• Permissions and roles

basics

• Tools for improving security checking

• Common danger zones: WYSIWYG and Views

• Hidden per-module permissions you might miss.

4Friday, January 31, 14

Page 5: Preventing Drupal Headaches: Permissions and Roles Checklist

Not in this demo• General security best practices around

external libraries, theming, custom code, etc.drupal.org/security/secure-configuration

• Writing secure codedrupal.org/writing-secure-code

• How to report security issuesdrupal.org/security-team/report-issue

5Friday, January 31, 14

Page 6: Preventing Drupal Headaches: Permissions and Roles Checklist

The basics

6Friday, January 31, 14

Page 7: Preventing Drupal Headaches: Permissions and Roles Checklist

Add roles

7Friday, January 31, 14

Page 8: Preventing Drupal Headaches: Permissions and Roles Checklist

Organize roles

8Friday, January 31, 14

Page 9: Preventing Drupal Headaches: Permissions and Roles Checklist

Inherited settings

9Friday, January 31, 14

Page 10: Preventing Drupal Headaches: Permissions and Roles Checklist

Permissions to watch• Comment management• Block editing permissions• Menu editing permissions

• Select modules which give you more granular permissions.

10Friday, January 31, 14

Page 11: Preventing Drupal Headaches: Permissions and Roles Checklist

Core configuration• Create an “Admin” account for yourself. Use

user/1 when needed.• Comment settings• Content type settings• Contact form settings• Account settings (not under permissions!)

11Friday, January 31, 14

Page 12: Preventing Drupal Headaches: Permissions and Roles Checklist

Account settings 1

12Friday, January 31, 14

Page 13: Preventing Drupal Headaches: Permissions and Roles Checklist

Account check• Who can create accounts?• Contact form• Signatures• User picture upload?• To delete: Disable accounts and keep

content.

13Friday, January 31, 14

Page 14: Preventing Drupal Headaches: Permissions and Roles Checklist

Account settings 2

14Friday, January 31, 14

Page 15: Preventing Drupal Headaches: Permissions and Roles Checklist

Two helpful modules!

15Friday, January 31, 14

Page 16: Preventing Drupal Headaches: Permissions and Roles Checklist

Security review module

https://drupal.org/project/security_review

16Friday, January 31, 14

Page 17: Preventing Drupal Headaches: Permissions and Roles Checklist

Configure untrusted

17Friday, January 31, 14

Page 18: Preventing Drupal Headaches: Permissions and Roles Checklist

Review results

18Friday, January 31, 14

Page 19: Preventing Drupal Headaches: Permissions and Roles Checklist

Review results

19Friday, January 31, 14

Page 20: Preventing Drupal Headaches: Permissions and Roles Checklist

Test as you develop• Create test user accounts for each role.• Use other browsers• Use “incognito mode” in Chrome or other• Use Masquerade

20Friday, January 31, 14

Page 21: Preventing Drupal Headaches: Permissions and Roles Checklist

21Friday, January 31, 14

Page 22: Preventing Drupal Headaches: Permissions and Roles Checklist

• Not in a live production site. Disable, remove.

Development tool

22Friday, January 31, 14

Page 23: Preventing Drupal Headaches: Permissions and Roles Checklist

Masquerade demo • Add test user accounts for each role• Configure the administrators• What users to switch between• Place the block

23Friday, January 31, 14

Page 24: Preventing Drupal Headaches: Permissions and Roles Checklist

acquia.com/insight

24Friday, January 31, 14

Page 25: Preventing Drupal Headaches: Permissions and Roles Checklist

Modules with specific permissions

Surprise!

25Friday, January 31, 14

Page 26: Preventing Drupal Headaches: Permissions and Roles Checklist

What to check?• Any modules which have specific

permissions per role. • Check custom modules. • User Masquerade to check per role abilities.• Check site as anonymous.

26Friday, January 31, 14

Page 27: Preventing Drupal Headaches: Permissions and Roles Checklist

Flag• Basic permissions

27Friday, January 31, 14

Page 28: Preventing Drupal Headaches: Permissions and Roles Checklist

Flag permissions• Permissions per flag

28Friday, January 31, 14

Page 29: Preventing Drupal Headaches: Permissions and Roles Checklist

Webform• Configure per webform

29Friday, January 31, 14

Page 30: Preventing Drupal Headaches: Permissions and Roles Checklist

IMCE

30Friday, January 31, 14

Page 31: Preventing Drupal Headaches: Permissions and Roles Checklist

Commons - Organic Groups• Content permissions across the site

31Friday, January 31, 14

Page 32: Preventing Drupal Headaches: Permissions and Roles Checklist

Commons - Organic Groups• Group-specific permissions

32Friday, January 31, 14

Page 33: Preventing Drupal Headaches: Permissions and Roles Checklist

Commons - Organic Groups• Group specific roles

33Friday, January 31, 14

Page 34: Preventing Drupal Headaches: Permissions and Roles Checklist

Other modules• Field permissions• Taxonomy access control• Workbench• Many more!

34Friday, January 31, 14

Page 35: Preventing Drupal Headaches: Permissions and Roles Checklist

WYSIWYG

35Friday, January 31, 14

Page 36: Preventing Drupal Headaches: Permissions and Roles Checklist

WYSIWYG settings

36Friday, January 31, 14

Page 37: Preventing Drupal Headaches: Permissions and Roles Checklist

Danger here

37Friday, January 31, 14

Page 38: Preventing Drupal Headaches: Permissions and Roles Checklist

Careful

38Friday, January 31, 14

Page 39: Preventing Drupal Headaches: Permissions and Roles Checklist

Dangerous tags• SCRIPT, IMG, IFRAME, EMBED, OBJECT,

INPUT, LINK, STYLE, META, FRAMESET, DIV, SPAN, BASE, TABLE, TR, TD.

• Visit https://drupal.org/node/224921• “Configuring text formats (aka input formats)

for security”

39Friday, January 31, 14

Page 40: Preventing Drupal Headaches: Permissions and Roles Checklist

Mollom!

40Friday, January 31, 14

Page 41: Preventing Drupal Headaches: Permissions and Roles Checklist

Views

41Friday, January 31, 14

Page 42: Preventing Drupal Headaches: Permissions and Roles Checklist

Custom admin view

42Friday, January 31, 14

Page 43: Preventing Drupal Headaches: Permissions and Roles Checklist

Admin settings

43Friday, January 31, 14

Page 44: Preventing Drupal Headaches: Permissions and Roles Checklist

Role permissions? No.

44Friday, January 31, 14

Page 45: Preventing Drupal Headaches: Permissions and Roles Checklist

Better than role perms

45Friday, January 31, 14

Page 46: Preventing Drupal Headaches: Permissions and Roles Checklist

Choose permission

46Friday, January 31, 14

Page 47: Preventing Drupal Headaches: Permissions and Roles Checklist

Recap

47Friday, January 31, 14