diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/block/block.admin.inc | 4 | ||||
| -rw-r--r-- | modules/block/block.module | 9 | ||||
| -rw-r--r-- | modules/php/php.module | 58 | ||||
| -rw-r--r-- | modules/system/system.install | 9 |
4 files changed, 72 insertions, 8 deletions
diff --git a/modules/block/block.admin.inc b/modules/block/block.admin.inc index 5fcfbdbe8..c99973f47 100644 --- a/modules/block/block.admin.inc +++ b/modules/block/block.admin.inc @@ -190,7 +190,7 @@ function block_admin_configure(&$form_state, $module = NULL, $delta = 0) { '#collapsed' => TRUE, ); - $access = user_access('use PHP for block visibility'); + $access = user_access('use PHP for settings'); if ($edit['visibility'] == 2 && !$access) { $form['page_vis_settings'] = array(); $form['page_vis_settings']['visibility'] = array('#type' => 'value', '#value' => 2); @@ -200,7 +200,7 @@ function block_admin_configure(&$form_state, $module = NULL, $delta = 0) { $options = array(t('Show on every page except the listed pages.'), t('Show on only the listed pages.')); $description = t("Enter one page per line as Drupal paths. The '*' character is a wildcard. Example paths are %blog for the blog page and %blog-wildcard for every personal blog. %front is the front page.", array('%blog' => 'blog', '%blog-wildcard' => 'blog/*', '%front' => '<front>')); - if ($access) { + if (module_exists('php') && $access) { $options[] = t('Show if the following PHP code returns <code>TRUE</code> (PHP-mode, experts only).'); $description .= ' ' . t('If the PHP-mode is chosen, enter PHP code between %php. Note that executing incorrect PHP-code can break your Drupal site.', array('%php' => '<?php ?>')); } diff --git a/modules/block/block.module b/modules/block/block.module index ae79d143e..9a46ba7d4 100644 --- a/modules/block/block.module +++ b/modules/block/block.module @@ -113,10 +113,6 @@ function block_perm() { 'title' => t('Administer blocks'), 'description' => t('Select which blocks are displayed, and arrange them on the page.'), ), - 'use PHP for block visibility' => array( - 'title' => t('Use PHP for block visibility'), - 'description' => t('Enter PHP code in the field for block visibility settings. %warning', array('%warning' => t('Warning: Give to trusted roles only; this permission has security implications.'))), - ), ); } @@ -608,8 +604,11 @@ function _block_load_blocks() { // is displayed only on those pages listed in $block->pages. $page_match = !($block->visibility xor $page_match); } + elseif (module_exists('php')) { + $page_match = php_eval($block->pages); + } else { - $page_match = drupal_eval($block->pages); + $page_match = FALSE; } } else { diff --git a/modules/php/php.module b/modules/php/php.module index de7371b7f..cd1ea53ca 100644 --- a/modules/php/php.module +++ b/modules/php/php.module @@ -22,6 +22,62 @@ function php_help($path, $arg) { } /** + * Implementation of hook_perm(). + */ +function php_perm() { + return array( + 'use PHP for settings' => array( + 'title' => t('Use PHP for settings'), + 'description' => t('Enter PHP in settings fields where PHP is allowed. %warning', array('%warning' => t('Warning: Give to trusted roles only; this permission has security implications.'))), + ), + ); +} + +/** + * Evaluate a string of PHP code. + * + * This is a wrapper around PHP's eval(). It uses output buffering to capture both + * returned and printed text. Unlike eval(), we require code to be surrounded by + * <?php ?> tags; in other words, we evaluate the code as if it were a stand-alone + * PHP file. + * + * Using this wrapper also ensures that the PHP code which is evaluated can not + * overwrite any variables in the calling code, unlike a regular eval() call. + * + * @param $code + * The code to evaluate. + * @return + * A string containing the printed output of the code, followed by the returned + * output of the code. + */ +function php_eval($code) { + global $theme_path, $theme_info, $conf; + + // Store current theme path. + $old_theme_path = $theme_path; + + // Restore theme_path to the theme, as long as php_eval() executes, + // so code evaluated will not see the caller module as the current theme. + // If theme info is not initialized get the path from theme_default. + if (!isset($theme_info)) { + $theme_path = drupal_get_path('theme', $conf['theme_default']); + } + else { + $theme_path = dirname($theme_info->filename); + } + + ob_start(); + print eval('?>' . $code); + $output = ob_get_contents(); + ob_end_clean(); + + // Recover original theme path. + $theme_path = $old_theme_path; + + return $output; +} + +/** * Implementation of hook_filter_tips(). */ function php_filter_tips($delta, $format, $long = FALSE) { @@ -79,7 +135,7 @@ function php_filter($op, $delta = 0, $format = -1, $text = '') { case 'description': return t('Executes a piece of PHP code. The usage of this filter should be restricted to administrators only!'); case 'process': - return drupal_eval($text); + return php_eval($text); default: return $text; } diff --git a/modules/system/system.install b/modules/system/system.install index 8dc92d45c..ff05becf9 100644 --- a/modules/system/system.install +++ b/modules/system/system.install @@ -3430,6 +3430,15 @@ function system_update_7022() { } /** + * Change the PHP for settings permission. + */ +function system_update_7023() { + $ret = array(); + $ret[] = update_sql("UPDATE {role_permission} SET permission = 'use PHP for settings' WHERE permission = 'use PHP for block visibility'"); + return $ret; +} + +/** * @} End of "defgroup updates-6.x-to-7.x" * The next series of updates should start at 8000. */ |