Updating drupal without file access

Quick news

2019-10-26: Presenting on NoSQL in Drupal 8 at DrupalCon Amsterdam
2019-02-15: Presenting on FranceTV Sport on Drupal 8 at DrupalCamp Paris
2018-06-08: Presenting on how to react to a hacked site at Drupal Hack Camp
2014-03-27: MongoDB Watchdog module ported to Drupal 8 at the Szeged Dev Days.
2014-01-26: My post on the Symfony web profiler in Silex selected in Week of Symfony. w00t !
2013-10-18: My first commit went into MongoDB today. And, guess what ? It's in JavaScript
2013-09-20 to 29: Working on Drupal 8 EntityAPI at the extended code sprints during and around DrupalCon Prague
2012-08-19: Working on Drupal 8 EntityAPI at Drupalcon Munich
2012-06-15: Working on Drupal 8 EntityAPI at DrupalDevDays Barcelona
2012-03-23: Working on the future Drupal Document Oriented Storage at DrupalCon Denver. D8 or later ? ~~Bets are on~~ Later

Latest sites

2017-11-26: New Drupal 8 site at Rue du Commerce, architected and tech-led by OSInet, just went throught Black Friday week with flying colors thanks to RabbitMQ
2017-05-26: New headless Drupal 8 / Symfony 3 site at FranceTV Sport, architected and tech-led by OSInet, with RabbitMQ
2017-02-20: New Drupal 8 site galaxy (+/- 70 sites) for Agences Régionales de Santé architected and tech-led by OSInet, delivered by Klee
2015-08-21: 50% less server load with MongoDB on the Drupal 7 site factory at France Télévisions
2015-07-15: Our first Drupal 8 production site at France Télévisions is live
2014-08-18: 400% speedup in 3 weeks for http://france3-regions.francetvinfo.fr/ : who said Drupal back-offices had to be slow ?
2014-02-07: Sotchi Olympics traffic not a problem for http://www.francetvsport.fr/ , which I rearchitected on Drupal 7 in 2013
2011-09-14: Completed migration of FranceInfo.FR from SPIP to Drupal
2011-07-13: The new social network features of Le Figaro are now powered by an OSInet-designed MongoDB implementation

Submitted by Frederic Marand on Sat, 2007-01-13 22:40

Add new comment

A few days ago, it was brought to my attention that something had been broken on the PHP-GTK community site during the 5.0 RC2 upgrade. The problem was easily identified as being codefilter.module having been removed during the upgrade and not reinstalled. Of course, not being at my office, I did not have access to the FTP passwords, but just to my admin account, and I did not want to leave the community members in the cold, so I used this small trick.

login to the site with a privileged account, allowed to make use of devel.module
grab the module from drupal.org
enable the Execute code block from Devel
edit some node, no matter which
attach the module files to the node being edited, not listing them
in the Execute code box, use commands like the following, one at a time to make sure all goes well (typos !). Supposing your files directory is named "files" under the site root:
1. First, a check to make sure everything is where it's supposed to be:
  system('ls -l files sites/all/modules');
2. Then create the module directory:
  system('mkdir sites/all/modules/codefilter');
3. Then copy the files over to it:
  system('cp files/codefilter.* sites/all/modules/codefilter');
detach the files from the node where you had attached them
the module is now there in your modules list, ready to be enabled.

As you can see, nothing spectacular, but it can come in handy when you're missing normal tools.

Note 1: this will probably only work differently when file transfers are set to "public", which is the default.

Note 2: I used cp instead of mv intentionally: this means the files won't move from the drupal files directory without drupal knowin g it, and they can be removed cleanly when you detach them from the node.

Somewhat dangerous

So your Apache can write sites/all? That's... not a particularly good idea. Just make the life of potential attackers harder by not letting Apache write the same dirs where it can run scripts. This is just a general rule of thumb.

Unique account

Actually, I suspect this is a common enough situation for shared hostings, on which you only have one account allocated, used for both FTP and Apache.

Which leads to an obvious question: is there a note about permissions in the Best Practices section (or elsewhere) ? I couldn't find one.

UPDATE: it's now a feature request for Drupal 6.

fgm @ OSInet

I'm @fgm@mamot.fr on Mastodon
Looking for a new project to work on, preferably Go and/or Drupal-based. Contact me, let's see how we could work together.
Have you read my Go book and its blog ?
Is your site reliably up ? Check with my Log4U uptime monitoring service.
Check my drupal.org "fgm" profile
See our OSInet pro services site.
Find me on

Follow me on LinkedIn