WordPress.org

Ready to get started?Download WordPress

Forums

All In One WP Security & Firewall
[resolved] Access to options set to "add_users" and not to "manage_options" (5 posts)

  1. Samuel Aguilera
    Member
    Plugin Contributor

    Posted 8 months ago #

    Hi!

    I just noticed that permission to access the options menu for the plugin is set to "add_users" in AIOWPSEC_MANAGEMENT_PERMISSION.

    I wonder why you did this, but... it has more sense to set it to "manage_options", because in fact this's the access to the options menu.

    I think this can cause problems on installs where there are some users with capabilities to add users but not to change options. They can change options for your plugin when they have not that capability in their role...

    http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

  2. mra13
    Member
    Plugin Author

    Posted 8 months ago #

    I have noticed over the course of time that "add_users" tend to work really well in determining if the user has admin capabilities accross all different versions of wordpress installs (WPMS and WP and other versions). It won't cause any problem for the intended use of this plugin.

  3. Samuel Aguilera
    Member
    Plugin Contributor

    Posted 8 months ago #

    Sorry but you're not right in any way.

    Using 'add_users' to determine if the user is an admin is totally wrong. 'add_users' is only a capability, you can give it to users who you trust to perform that task or to create custom roles.

    If you're the admin of a WP or WPMS install and wants some user to be able to create user you'll give 'add_users' capability and you expect that he only can do that admin task, and not other ones like manage options, because for managing options exists the 'manage_options' capability.

    So using 'add_users' to allow the manage of the options of your plugin you're creating a security flaw allowing users that has no permissions to manage options to manage the security options!

    And there's no problem using the "manage_options" capabiliy in any version of WP or WPMS. It's something that exists from the begining of WordPress.

    You should seriously consider to fix this. You have a really nice an useful plugin, maybe one of the best for security, but this point is a big flaw.

    Anyway, maybe you should consider to create a custom capability to your plugin. This is the way most plugins works today.

  4. mra13
    Member
    Plugin Author

    Posted 8 months ago #

    I will change that in the next update.

  5. Samuel Aguilera
    Member
    Plugin Contributor

    Posted 8 months ago #

    Thank you very much!

Reply

You must log in to post.

About this Plugin

About this Topic