Your SlideShare is downloading. ×
0
PERMISSIONS
CHECKLIST

Friday, January 31, 14

1
training.acquia.com/events

Friday, January 31, 14

2
Who is this for?
•
•

New to Drupal?

•

Inherited a new
Drupal site and want
to know more about
configuration

Friday, Jan...
In this demo
•

Permissions and roles
basics

•

Tools for improving
security checking

•

Common danger zones:
WYSIWYG an...
Not in this demo
• General security best practices around

external libraries, theming, custom code, etc.
drupal.org/secur...
The basics

Friday, January 31, 14

6
Add roles

Friday, January 31, 14

7
Organize roles

Friday, January 31, 14

8
Inherited settings

Friday, January 31, 14

9
Permissions to watch
• Comment management
• Block editing permissions
• Menu editing permissions

• Select modules which g...
Core configuration
• Create an “Admin” account for yourself. Use

user/1 when needed.
• Comment settings
• Content type se...
Account settings 1

Friday, January 31, 14

12
Account check
• Who can create accounts?
• Contact form
• Signatures
• User picture upload?
• To delete: Disable accounts ...
Account settings 2

Friday, January 31, 14

14
Two helpful modules!

Friday, January 31, 14

15
Security review module

https://drupal.org/project/security_review
Friday, January 31, 14

16
Configure untrusted

Friday, January 31, 14

17
Review results

Friday, January 31, 14

18
Review results

Friday, January 31, 14

19
Test as you develop
• Create test user accounts for each role.
• Use other browsers
• Use “incognito mode” in Chrome or ot...
Friday, January 31, 14

21
Development tool
• Not in a live production site. Disable, remove.

Friday, January 31, 14

22
Masquerade demo
• Add test user accounts for each role
• Configure the administrators
• What users to switch between
• Plac...
acquia.com/insight

Friday, January 31, 14

24
Surprise!

Modules with specific
permissions

Friday, January 31, 14

25
What to check?
• Any modules which have specific

permissions per role.
• Check custom modules.
• User Masquerade to check ...
Flag
• Basic permissions

Friday, January 31, 14

27
Flag permissions
• Permissions per flag

Friday, January 31, 14

28
Webform
• Configure per webform

Friday, January 31, 14

29
IMCE

Friday, January 31, 14

30
Commons - Organic Groups
• Content permissions across the site

Friday, January 31, 14

31
Commons - Organic Groups
• Group-specific permissions

Friday, January 31, 14

32
Commons - Organic Groups
• Group specific roles

Friday, January 31, 14

33
Other modules
• Field permissions
• Taxonomy access control
• Workbench
• Many more!

Friday, January 31, 14

34
WYSIWYG

Friday, January 31, 14

35
WYSIWYG settings

Friday, January 31, 14

36
Danger here

Friday, January 31, 14

37
Careful

Friday, January 31, 14

38
Dangerous tags
• SCRIPT, IMG, IFRAME, EMBED, OBJECT,

INPUT, LINK, STYLE, META, FRAMESET, DIV,
SPAN, BASE, TABLE, TR, TD.
...
Mollom!

Friday, January 31, 14

40
Views

Friday, January 31, 14

41
Custom admin view

Friday, January 31, 14

42
Admin settings

Friday, January 31, 14

43
Role permissions? No.

Friday, January 31, 14

44
Better than role perms

Friday, January 31, 14

45
Choose permission

Friday, January 31, 14

46
Recap

Friday, January 31, 14

47
https://www.acquia.com/resources/webinars/
training-what-consider-writing-your-rfp
Friday, January 31, 14

48
Upcoming SlideShare
Loading in...5
×

Preventing Drupal Headaches: Permissions and Roles Checklist

1,100

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,100
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
15
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Preventing Drupal Headaches: Permissions and Roles Checklist"

  1. 1. PERMISSIONS CHECKLIST Friday, January 31, 14 1
  2. 2. training.acquia.com/events Friday, January 31, 14 2
  3. 3. Who is this for? • • New to Drupal? • Inherited a new Drupal site and want to know more about configuration Friday, January 31, 14 Starting a new Drupal site! 3
  4. 4. In this demo • Permissions and roles basics • Tools for improving security checking • Common danger zones: WYSIWYG and Views • Hidden per-module permissions you might miss. Friday, January 31, 14 4
  5. 5. Not in this demo • General security best practices around external libraries, theming, custom code, etc. drupal.org/security/secure-configuration • Writing secure code drupal.org/writing-secure-code • How to report security issues drupal.org/security-team/report-issue Friday, January 31, 14 5
  6. 6. The basics Friday, January 31, 14 6
  7. 7. Add roles Friday, January 31, 14 7
  8. 8. Organize roles Friday, January 31, 14 8
  9. 9. Inherited settings Friday, January 31, 14 9
  10. 10. Permissions to watch • Comment management • Block editing permissions • Menu editing permissions • Select modules which give you more granular permissions. Friday, January 31, 14 10
  11. 11. Core configuration • Create an “Admin” account for yourself. Use user/1 when needed. • Comment settings • Content type settings • Contact form settings • Account settings (not under permissions!) Friday, January 31, 14 11
  12. 12. Account settings 1 Friday, January 31, 14 12
  13. 13. Account check • Who can create accounts? • Contact form • Signatures • User picture upload? • To delete: Disable accounts and keep content. Friday, January 31, 14 13
  14. 14. Account settings 2 Friday, January 31, 14 14
  15. 15. Two helpful modules! Friday, January 31, 14 15
  16. 16. Security review module https://drupal.org/project/security_review Friday, January 31, 14 16
  17. 17. Configure untrusted Friday, January 31, 14 17
  18. 18. Review results Friday, January 31, 14 18
  19. 19. Review results Friday, January 31, 14 19
  20. 20. Test as you develop • Create test user accounts for each role. • Use other browsers • Use “incognito mode” in Chrome or other • Use Masquerade Friday, January 31, 14 20
  21. 21. Friday, January 31, 14 21
  22. 22. Development tool • Not in a live production site. Disable, remove. Friday, January 31, 14 22
  23. 23. Masquerade demo • Add test user accounts for each role • Configure the administrators • What users to switch between • Place the block Friday, January 31, 14 23
  24. 24. acquia.com/insight Friday, January 31, 14 24
  25. 25. Surprise! Modules with specific permissions Friday, January 31, 14 25
  26. 26. What to check? • Any modules which have specific permissions per role. • Check custom modules. • User Masquerade to check per role abilities. • Check site as anonymous. Friday, January 31, 14 26
  27. 27. Flag • Basic permissions Friday, January 31, 14 27
  28. 28. Flag permissions • Permissions per flag Friday, January 31, 14 28
  29. 29. Webform • Configure per webform Friday, January 31, 14 29
  30. 30. IMCE Friday, January 31, 14 30
  31. 31. Commons - Organic Groups • Content permissions across the site Friday, January 31, 14 31
  32. 32. Commons - Organic Groups • Group-specific permissions Friday, January 31, 14 32
  33. 33. Commons - Organic Groups • Group specific roles Friday, January 31, 14 33
  34. 34. Other modules • Field permissions • Taxonomy access control • Workbench • Many more! Friday, January 31, 14 34
  35. 35. WYSIWYG Friday, January 31, 14 35
  36. 36. WYSIWYG settings Friday, January 31, 14 36
  37. 37. Danger here Friday, January 31, 14 37
  38. 38. Careful Friday, January 31, 14 38
  39. 39. Dangerous tags • SCRIPT, IMG, IFRAME, EMBED, OBJECT, INPUT, LINK, STYLE, META, FRAMESET, DIV, SPAN, BASE, TABLE, TR, TD. • Visit https://drupal.org/node/224921 • “Configuring text formats (aka input formats) for security” Friday, January 31, 14 39
  40. 40. Mollom! Friday, January 31, 14 40
  41. 41. Views Friday, January 31, 14 41
  42. 42. Custom admin view Friday, January 31, 14 42
  43. 43. Admin settings Friday, January 31, 14 43
  44. 44. Role permissions? No. Friday, January 31, 14 44
  45. 45. Better than role perms Friday, January 31, 14 45
  46. 46. Choose permission Friday, January 31, 14 46
  47. 47. Recap Friday, January 31, 14 47
  48. 48. https://www.acquia.com/resources/webinars/ training-what-consider-writing-your-rfp Friday, January 31, 14 48
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×