Skip to content

Add comments on risky permissions #1468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bennothommo wants to merge 2 commits into
base: develop
Choose a base branch
from
+39 −11
Open

Add comments on risky permissions #1468

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6bc8b06
Style permission comments, add comments for administrative permissions
bennothommo Mar 13, 2026
69b84be
Update modules/backend/formwidgets/permissioneditor/partials/_permiss…
bennothommo Mar 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ nbproject
.vscode
!.devcontainer/.vscode
_ide_helper.php
.zed

# Other ignores
.DS_Store
Expand Down
4 changes: 4 additions & 0 deletions modules/backend/ServiceProvider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,11 +178,13 @@ protected function registerBackendPermissions()
'backend.manage_users' => [
'label' => 'system::lang.permissions.manage_other_administrators',
'tab' => 'system::lang.permissions.name',
'comment' => 'system::lang.permissions.manage_other_administrators_comment',
'roles' => [UserRole::CODE_DEVELOPER],
],
'backend.impersonate_users' => [
'label' => 'system::lang.permissions.impersonate_users',
'tab' => 'system::lang.permissions.name',
'comment' => 'system::lang.permissions.impersonate_users_comment',
'roles' => [UserRole::CODE_DEVELOPER],
],
'backend.manage_preferences' => [
Expand All @@ -203,6 +205,7 @@ protected function registerBackendPermissions()
'backend.manage_branding' => [
'label' => 'system::lang.permissions.manage_branding',
'tab' => 'system::lang.permissions.name',
'comment' => 'system::lang.permissions.manage_branding_comment',
'roles' => [UserRole::CODE_DEVELOPER],
],
'media.manage_media' => [
Expand All @@ -213,6 +216,7 @@ protected function registerBackendPermissions()
'backend.allow_unsafe_markdown' => [
'label' => 'backend::lang.permissions.allow_unsafe_markdown',
'tab' => 'system::lang.permissions.name',
'comment' => 'backend::lang.permissions.allow_unsafe_markdown_comment',
'roles' => [UserRole::CODE_DEVELOPER],
],
]);
Expand Down
27 changes: 18 additions & 9 deletions modules/backend/formwidgets/permissioneditor/partials/_permissioneditor.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
<div class="permissioneditor <?= $this->previewMode ? 'control-disabled' : '' ?>" <?= $field->getAttributes() ?>>
<table>
<?php
$firstTab = true;
$globalIndex = 0;
$checkboxMode = !($this->mode === 'radio');
$firstTab = true;
$globalIndex = 0;
$checkboxMode = !($this->mode === 'radio');
?>
<?php foreach ($permissions as $tab => $tabPermissions): ?>
<tr class="section">
Expand All @@ -20,7 +20,7 @@
</tr>

<?php
$lastIndex = count($tabPermissions) - 1;
$lastIndex = count($tabPermissions) - 1;
?>
<?php foreach ($tabPermissions as $index => $permission): ?>

Expand Down Expand Up @@ -55,13 +55,22 @@

<td class="permission-name">
<?= e(trans($permission->label)) ?>
<p class="comment"><?= e(trans($permission->comment)) ?></p>
<?php if ($permission->comment): ?>
<span
class="text-info wn-icon-circle-info"
data-toggle="tooltip"
title="<?= e(trans($permission->comment)) ?>"
tabindex="0"
role="img"
aria-label="<?= e(trans($permission->comment)) ?>"
></span>
<?php endif; ?>
</td>

<?php if ($this->mode === 'radio'): ?>
<td class="permission-value">
<div class="radio custom-radio">
<input
<input
id="<?= $allowId ?>"
name="<?= e($baseFieldName) ?>[<?= e($permission->code) ?>]"
value="1"
Expand All @@ -75,7 +84,7 @@
</td>
<td class="permission-value">
<div class="radio custom-radio">
<input
<input
id="<?= $inheritId ?>"
name="<?= e($baseFieldName) ?>[<?= e($permission->code) ?>]"
value="0"
Expand All @@ -88,7 +97,7 @@
</td>
<td class="permission-value">
<div class="radio custom-radio">
<input
<input
id="<?= $denyId ?>"
name="<?= e($baseFieldName) ?>[<?= e($permission->code) ?>]"
value="-1"
Expand Down Expand Up @@ -123,7 +132,7 @@
<?php else: ?>
<td class="permission-value">
<div class="checkbox custom-checkbox">
<input
<input
id="<?= $allowId ?>"
name="<?= e($baseFieldName) ?>[<?= e($permission->code) ?>]"
value="1"
Expand Down
3 changes: 2 additions & 1 deletion modules/backend/lang/en/lang.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -612,7 +612,8 @@
],
'permissions' => [
'manage_media' => 'Upload and manage media contents - images, videos, sounds, documents',
'allow_unsafe_markdown' => 'Use unsafe Markdown (Can include Javascript)',
'allow_unsafe_markdown' => 'Allow unsafe Markdown',
'allow_unsafe_markdown_comment' => 'Allowing unsafe Markdown will allow HTML tags, including JavaScript, in Markdown content. This can be a security risk if given to an untrusted user.',
],
'mediafinder' => [
'label' => 'Media Finder',
Expand Down
8 changes: 7 additions & 1 deletion modules/cms/ServiceProvider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
<?php namespace Cms;
<?php

namespace Cms;

use Backend;
use Backend\Classes\WidgetManager;
Expand Down Expand Up @@ -342,24 +344,28 @@ protected function registerBackendPermissions()
'cms.manage_pages' => [
'label' => 'cms::lang.permissions.manage_pages',
'tab' => 'cms::lang.permissions.name',
'comment' => 'cms::lang.permissions.manage_pages_comment',
'roles' => [UserRole::CODE_DEVELOPER],
'order' => 100
],
'cms.manage_layouts' => [
'label' => 'cms::lang.permissions.manage_layouts',
'tab' => 'cms::lang.permissions.name',
'comment' => 'cms::lang.permissions.manage_layouts_comment',
'roles' => [UserRole::CODE_DEVELOPER],
'order' => 100
],
'cms.manage_partials' => [
'label' => 'cms::lang.permissions.manage_partials',
'tab' => 'cms::lang.permissions.name',
'comment' => 'cms::lang.permissions.manage_partials_comment',
'roles' => [UserRole::CODE_DEVELOPER],
'order' => 100
],
'cms.manage_themes' => [
'label' => 'cms::lang.permissions.manage_themes',
'tab' => 'cms::lang.permissions.name',
'comment' => 'cms::lang.permissions.manage_themes_comment',
'roles' => [UserRole::CODE_DEVELOPER],
'order' => 100
],
Expand Down
4 changes: 4 additions & 0 deletions modules/cms/lang/en/lang.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,9 +277,13 @@
'manage_content' => 'Manage website content files',
'manage_assets' => 'Manage website assets - images, JavaScript files, CSS files',
'manage_pages' => 'Create, modify and delete website pages',
'manage_pages_comment' => 'This permission should only be given to trusted users, as it allows direct access to the theme\'s page content files, including PHP code if enabled.',
'manage_layouts' => 'Create, modify and delete CMS layouts',
'manage_layouts_comment' => 'This permission should only be given to trusted users, as it allows direct access to the theme\'s layout files, including PHP code if enabled.',
'manage_partials' => 'Create, modify and delete CMS partials',
'manage_partials_comment' => 'This permission should only be given to trusted users, as it allows direct access to the theme\'s partial files, including PHP code if enabled.',
'manage_themes' => 'Activate, deactivate and configure CMS themes',
'manage_themes_comment' => 'This permission should only be given to trusted users, as it allows the user to change the theme or delete it entirely.',
'manage_theme_options' => 'Configure customization options for the active theme',
],
'theme_log' => [
Expand Down
3 changes: 3 additions & 0 deletions modules/system/lang/en/lang.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -448,13 +448,16 @@
'manage_mail_templates' => 'Manage mail templates',
'manage_mail_settings' => 'Manage mail settings',
'manage_other_administrators' => 'Manage other administrators',
'manage_other_administrators_comment' => 'Allows the user to create, update and delete other administrator accounts. This permission should only be given to trusted users.',
'impersonate_users' => 'Impersonate users',
'impersonate_users_comment' => 'Allows the user to impersonate other users at their level of access. This permission should only be given to trusted users.',
'manage_preferences' => 'Manage backend preferences',
'manage_editor' => 'Manage global code editor preferences',
'manage_own_editor' => 'Manage personal code editor preferences',
'view_the_dashboard' => 'View the dashboard',
'manage_default_dashboard' => 'Manage the default dashboard',
'manage_branding' => 'Customize the back-end',
'manage_branding_comment' => 'This permission allows the user to customize the back-end appearance, including custom CSS content. This may be a security risk if given to an untrusted user.'
],
'log' => [
'menu_label' => 'Log settings',
Expand Down
Loading