WordPress.org

Ready to get started?Download WordPress

Forums

Simple Download Monitor
Registered Users can access Admin accessible area (6 posts)

  1. eirlymeyer
    Member
    Posted 3 years ago #

    There is a major flaw in your plugin.
    As admin you are able to see the Simple Download link & dashboard.

    However, OTHER registered users that are on the site have access & can see & utilize the same as Subscribers, Editors, Authors & Contributors.

    The only individual that should be allowed to access this should be the Admins. This is a major flaw with this plugin.

    Can you take a look at this issue & get it fixed?

  2. pepak.net
    Member
    Posted 3 years ago #

    That’s not a flaw but an intended behavior: all registered users can view SDMon stats. Would you care to elaborate why only admin should be allowed to view the stats? Unless you can present a convincing proof of why it is necessary, it won’t change.

  3. eirlymeyer
    Member
    Posted 3 years ago #

    I'm sure you didn't understand what I am trying to convey to you clearly. This IS a major flaw.

    Here is why:
    1. The plugin allows for you to see the download stats. That includes the # of downloads, the last date & the LINK to the actual download.

    2. It's fine that the ADMIN can see the info. That's the whole point, having a dashboard. HOWEVER,

    3. As a SUBSCRIBER, who signs up to your website, who may & should have access to their profile information, they ALSO, have access to the same STATS -- INSIDE THEIR PROFILE PANEL (same as the ADMIN)

    So, for example, if a "SUBSCRIBER", comes to your site & sees a 1 download they want, they can get it. If they log into their profile & want to change information, they also get to see the ENTIRE LIST OF DOWNLOADS, how many was downloaded, etc.

    So, if the Admin wanted to protect the OTHER downloads from subscribers who shouldn't have ACCESS, you can't do it. Because,
    SUBSCRIBERS, EDITORS, AUTHORS, CONTRIBUTORS -- PEOPLE WHO ARE NOT AT "ADMIN LEVEL" can access the same data by logging into your site, & access the same data.

    So, in effect, your plugin would not work for those who run a membership site, where registered members can see EVERY download, when they weren't granted access to "every" download -- simply by going through their personal backend to view their profile.

    I personally would've liked to use this plugin, as the concept does work. However, I have had to remove it because of this issue.

    Test what I'm saying for yourself, ADD a "NEW USER" to your site, as a SUBSCRIBER (NOT ADMIN), or Author, Contributor, etc. The log in as them, and see the UNRESTRICTED ACCESS given as that user role as a subscriber.

    I would recommend you take a look at it, unless, this was the real "intended behavior" of this plugin.

  4. pepak.net
    Member
    Posted 3 years ago #

    Let me get this straight: Your registered users could theoretically download any files, if only they knew their full links? In other words, your only means of protecting your content is the fact that the URLs are "secret"? I am not quite so sure I want to encourage such approach - security by obscurity is NOT the way to go, usually.

    Anyway, I will consider adding an option to set a privilege level required to view the download stats. Meanwhile, you can edit line 826 to only allow access to administrators by changing 'read' to 'manage_options'.

  5. eirlymeyer
    Member
    Posted 3 years ago #

    Yes. It's deeper than that. I would suggest you create a "new user" on your site & log in as that user & see for yourself what is "AVAILABLE" to you on the left side of Admin Profile for that user.

    You may be very suprised.

    The concept of registered users being able to download files is not the issue. It's that they are able to "SEE" & "DOWNLOAD" from their own personal profile via when they log into their profiles.

    I will try this Line 826 option, & test it. However, I'd prefer to have this feature already working correctly.

  6. pepak.net
    Member
    Posted 3 years ago #

    I would not be surprised, as I _am_ running my blog as a regular user. And the availability of download stats to regular users is indeed intentional, not accidental. The SDMon's behavior is "correct" from this point of view.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic