WordPress.org

Ready to get started?Download WordPress

Forums

Widget Logic
Feature request+patch: capabilities-based security (3 posts)

  1. outis
    Member
    Posted 11 months ago #

    Alan–

    By default, only administrators have the 'edit_theme_options' necessary to access the widget admin panel. However, some sites have a role (e.g. for theme editors & graphic designers) between editor and administrator with this capability. If widget logic is installed on such a site, it introduces a privilege escalation.

    Awhile back I submitted a ticket and patch to the plugins track that addressed this by adding an option for & a check against an arbitrary capability necessary to access widget logic options (it defaults to "administrator", so only admins can add widget logic to a widget). The check-points are:

    • when adding the various admin filters,
    • when processing an AJAX update (widget_logic_ajax_update_callback()),
    • when setting up the widgets for editing (widget_logic_expand_control()) and
    • when displaying widget logic options (widget_logic_options_control())

    The last two are redundant given the first, but the extra security checks don't hurt. The patch probably won't apply to the current release, but if you're open to including it in WL, I'll gladly update it.

    http://wordpress.org/plugins/widget-logic/

  2. alanft
    Member
    Plugin Author

    Posted 11 months ago #

    Yeah, I'll take a pass at putting that into the dev version soon. If 3.6 turns out to need an update I'll release it really soon.

  3. outis
    Member
    Posted 11 months ago #

    I've updated the patch to apply to WL 0.56.

Reply

You must log in to post.

About this Plugin

About this Topic