Security Challenges in Drupal 7

0
votes

I have mainly two security concern in Drupal 7.

  1. When user enter http://sitename/node then the user will be able to view all the nodes created in the site till date. In the site there are some content type which are viewable to all users on site and some are restricted to created users and shared users.How to stop users from viewing those nodes which they have not created. It will also be OK for me if user enter http:///node then "Page Not Found" displayed.

  2. Similarly I have installed "URL Path Alias" module which substitute the URL with the title alias. Now when user enters http://sitename/node/260 where 260 is random number. This can be redirected to a valid page and user gets to know the [nid] of the content. hackers can use SQL Injection or another technique to delete the content from generic [node] table. How to restrict such hacking in the site.

Please let me know your views.

1
securitydrupal-7drupal-nodes

1 Answers

0
votes

pay a visit to drupal permission page @ /admin/people/permissions.

Using roles and permissions you can set who can see what. knowing the URL is ok if you have defined your site roles and permissions in good safe way.

Pathauto module, or using drupal built in "URL Path Alias" is designed for SEO and simply making your URL look pretty.. it has no security impact ;)