J4 Issue ?
avatar vintzl
vintzl
5 Aug 2019

Why we cannot use PHP code in modules or articles?

Why not simply allowing PHP code in articles/modules, by providing an option in Joomla?

Or provide us the way to do this without using extensions, by the mean of documentation, because I find nowhere where to start…

avatar vintzl vintzl - open - 5 Aug 2019
avatar joomla-cms-bot joomla-cms-bot - change - 5 Aug 2019
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 5 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 5 Aug 2019
Title
Provide us an easy way to use PHP code in modules or articles?
[4.0] Provide us an easy way to use PHP code in modules or articles?
avatar franz-wohlkoenig franz-wohlkoenig - edited - 5 Aug 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 5 Aug 2019
Labels Added: J4 Issue
avatar franz-wohlkoenig franz-wohlkoenig - labeled - 5 Aug 2019
avatar brianteeman
brianteeman - comment - 5 Aug 2019

Why we cannot use PHP code in modules or articles?

Because it opens your web site to any number of security vulnerabilities

Or provide us the way to do this without using extensions, by the mean of documentation, because I find nowhere where to start…

There are several extensions available at https://extensions.joomla.org that will let you do this

avatar alikon alikon - change - 5 Aug 2019
Status New Closed
Closed_Date 0000-00-00 00:00:00 2019-08-05 17:58:33
Closed_By alikon
avatar joomla-cms-bot joomla-cms-bot - change - 5 Aug 2019
Closed_By alikon joomla-cms-bot
avatar joomla-cms-bot joomla-cms-bot - close - 5 Aug 2019
avatar joomla-cms-bot
joomla-cms-bot - comment - 5 Aug 2019

Set to "closed" on behalf of @alikon by The JTracker Application at issues.joomla.org/joomla-cms/25783

avatar vintzl
vintzl - comment - 5 Aug 2019

Because it opens your web site to any number of security vulnerabilities

Sounds very stupid… as the same applies for

  1. Plugins/"highly customized" modules
  2. Templates, as we can put any php code in …

And you guess what? We can embed php code in them… So these open our web sites with any number of security vulnerabilities…

There are several extensions available at https://extensions.joomla.org that will let you do this

I did not ask for extensions, but at least for some documentation…

Seems I will waste my time to figure out how it works.

avatar Bakual
Bakual - comment - 5 Aug 2019

And you guess what? We can embed php code in them… So these open our web sites with any number of security vulnerabilities…

Only Super-Administrators can install extensions or edit template files. If you can't trust those users, then all is lost anyway.

For all other users, there is no way to embed PHP code for security reasons. If you allow them to run PHP code, then you can as well give them full access to your server.

So if you really need that feature, you need to find some extension which allows that and you seriously need to make sure only users which you trust blindly are allowed to use it.
It certainly will never be part of core.

avatar vintzl
vintzl - comment - 5 Aug 2019

Did you know that Joomla provide ACL? (sure you know…)

We could use ACL to enable selected user, ONLY, to embed PHP code… like by default Super-Administrators etc…

avatar Bakual
Bakual - comment - 5 Aug 2019

You don't understand.
As soon as you allow a non-Super-Admin to add PHP code to eg an article, that user can elevate himself als Super-Admin. Or he can do even worse stuff.
ACL doesn't help you there at all. There is no safe-guard left once you can run your own PHP code.

avatar vintzl
vintzl - comment - 6 Aug 2019

You waste my time… Read again and again my posts, until you are able to understand what I mean.

Everything you wrote is stupid as:

  • Joomla allows creation of simple user with Super User rights >again what you argue is irrelevant. Because, if we fallow your same logic, we MUST remove this feature as "it open our web sites with any number of security vulnerabilities…
  • ACL, as user creation/modification of users with assigned User Groups, leads to the same problems you fear, but you allow user that you "want to protect from themselves" to use theses features, meaning grant user any Super User rights…
  • With ACL, you could grant to specific user, the right to embed code, maybe the same user you grant Super User rights, and only for those users…
  • I wrote ACL Systems, and if done correctly, certainly with a lot of work, you could limit usage to some PHP functions calls (white list like print, echo, etc)…

Now as you are too much psychorigid for me, I will not waste my time anymore with you on this topic. I have done with it, and I am near to find my solution.

avatar infograf768
infograf768 - comment - 6 Aug 2019

I am sure you will share such a solution by proposing a PR.
In the meanwhile, it would be much appreciated if you stopped using insults towards anyone in this repo. Thanks.

avatar HLeithner
HLeithner - comment - 6 Aug 2019

@vintzl could you please claim down and be a bit more friendly. Everyone here tries to make Joomla better. Adding the possibility to execute PHP code will lead to security problems for in experienced users. As power user you are able to simply install an extension that can do this. If you really want it simple you can even do this with a template override and set the filter to raw on mod_custom. Then you have done it with core.

But giving this to an end user would only lead to security problems. And no filtering php code is not trivial.

avatar vintzl
vintzl - comment - 9 Aug 2019

OK, I am sorry if anyone was offended.

Add a Comment

Login with GitHub to post a comment