Block module/theme installation on new Drupal instances
The goal is to disallow any level of customization to the Drupal administrators.
To achieve this, we must block module installation.
Current possible options:
1. Change deployment setup
Description:
The deployment would have PVs mounted as read-only for /drupal-data/modules
and /drupal-data/themes
paths on webdav
container.
Pros:
It is uniform to all users. New instances will have no customization, existing instances will not be able to add any new customizations, but keep current ones.
Cons:
Once applied, modules cannot be updated neither removed by users. It will require admin action or access to the php-fpm
container in order to do full CRUD
operations.
Users that have requested advanced access to containers will continue to be able to add modules. Revoking access to previously given users would be advisable.
Extra: We can have a label to make it ready-write
mount on webdav
for necessary exceptions for a temporary time. I would not recommend this, but can be included if we are to go with this path but multiple expecting exceptions.
2. Separate new image
Description:
We can have a default image, and the only available for new instances, that does not do any linkage of /drupal-data/modules
to be actually used as modules. This linkage is embedded in the image, and if removed, would make the customization impossible to users.
Pros:
Clear distinction between websites with and without customization available. Fully working for the first, zero for the latter.
Cons:
Maintain two RELEASE
images for the time being, and have to update both.