nathan rambeck

I'm starting to go through the book Cracking Drupal by Greg Knaddison. The book is written primarily for developers and seems to cover a broad range of security topics specific to Drupal and lots of topics that apply to any web-based application.

Over the next week, I'll post some of the best gems I find in the book.

In this post, I'll share an issue I've seen a few times with the global user object.

When a user is logged into a site (or even if they are anonymous), their user information is stored in a global PHP variable called $user. If you're familiar with Drupal code at all, you've probably seen the global user object called in many functions, usually something like this:

<?php function some_function() { global $user; // Do something } ?>

As a global variable, the $user object can be easily accessed by any function.

Drupal is a very secure open source project. With thousands of eyes looking at the code, security holes get patched very quickly in the core Drupal project.

However, one of the primary ways of opening up your Drupal site to security vulnerabilities is through user error. No amount of code can prevent site administrators from doing stupid things like giving anonymous users permission to edit your blog posts.