Arguably, it's sufficient to check for administrative privileges... since
an administrator can do this kind of damage anyway... but this use-case is
so broad, dangerous, and uncommon that it really shouldn't be available
unless you take extraordinary measures.
It's tempting to remove the file entirely, but some upgrade workflows don't
properly handle deleted files, and some users may still want access to this
code so that they can run it themselves.
+--------------------------------------------------------------------+
*/
+die("This script is disabled because it is dangerous. If you need it, please duplicate it elsewhere and provide your own secure workflow. This example file will be removed in the future.");
+
+// TIP: If/when we do delete this file, take care to affirmatively check for
+// deletion as part of the status-check infrastructure. Some upgrade workflows
+// don't clear out old files properly, and there's no telling the history
+// of upgrades that have been performed.
+
/**
*
* @package CRM
projects / civicrm-core.git / commitdiff