These are not necessary and can pose a security risk.
IMHO they are damn well necessary. Esp. when your client doesnt know nothing about the web, not being able to find his SFTP login data. For quick fixes, this really helps a lot.
BTW: people edit and delete core files, no matter what, anyway.
What would maybe do better is a specific switch in the Options / Settings to enable both editors, and set the default state to disabled.
I agree with Fabian that they actually come in handy sometimes. If you would change the petition to disabling them by default, then you have my full support!
I use these all day, every day.
I'm in favor of disabling these by default, they are a pretty bad way to do development.
I'm also in favor of disabling these by default.
I like disabling them by default. Add a pop-up warning (first-time only) if someone disables it. The warning could explain the dangers and also link to instruction on child themes.
Also agree with disabling by default.
One more to disable them by default I was going to suggest this myself, besides being a security risk is used in the majority by support tasks/debug issues.
If someone just forget a semi-colon or cause any other error you will get the WSOD and leave the customer site down till the moment he can reply with any FTP credentials to fix the error caused.
@ Rui Guerreiro - You won't get a WSOD.... all of the editors use code mirror now and won't save an update anymore if the code is invalid. The only way you can get the WSOD is to upload a corrupt file to your theme or plugin.
As it seems that most people here would like to disable the editors by default and the OP has not responded to this since posting it, I am opening a new petition that suggests disabling them by default.
I agree with Jeremy and also consider that now in WordPress they are working on a WSOD detection that disable plugin but was postponed to 5.1 https://core.trac.wordpress.org/attachment/ticket/44458/broken-plugin-site-admin.pngSo also ClassicPress will benefit of that.Also this editor with codemirror and live check of error before save are very helpful on support in website when you don't have other access.
My original thought was to have this feature removed, not disabled. It's more code that has to be maintained and updated. It could be moved into a plugin however. This way, if someone needs/wants to use it they can install the plugin and edit things. But from a security standpoint, having the code there -- even if it's disabled by default means that the code could still create a vulnerability. So at the very least, disable by default. But preferably remove and make this into a plugin.
I use the theme editor all the time for child theme css changes, but not beyond that
A feature plugin would be a much better place for the code editor features. There is a lot of code involved, with a lot of hidden security gotchas, but it is all very separate from the core feature set and goal of ClassicPress as a platform. Making it a plugin would actually allow the code editor to improve faster, as well, as it wouldn't have to sync development cycles with Core, and wouldn't have to get all changes approved by the larger team that is mostly focused on other projects.
I use this function kinda often with new clients, but i think this could be removed and added as a plugin, to install only if needed
Yes, disabled / removed. All editing should be done through the host (server).