WordPress.org

Ready to get started?Download WordPress

Forums

Jetpack by WordPress.com
[resolved] Shock! A subscriber can admin the Jetpack options! (9 posts)

  1. mattes3
    Member
    Posted 1 year ago #

    I am using Jetpack 2.0.2.

    I created a new user in WordPress and gave him the subscriber role which has only the "read" capability. Then, I logged in as this user. I got an admin page with Dashboard and Profile, and guess what? The Jetpack admin page appeared, too, happily saying:

    "To enable all of the Jetpack features you’ll need to link your account here to your WordPress.com account using the button to the right."

    Folks, not every user should be able to change the Jetpack settings on my site! Would you please fix this? Please check for the manage_options capability first before you show the Jetpack admin panel:
    http://codex.wordpress.org/Roles_and_Capabilities#manage_options

    Thanks a lot!

    http://wordpress.org/extend/plugins/jetpack/

  2. Ronester
    Member
    Posted 1 year ago #

    Agreed. More granular control and accessibility based on user roles would be great. Or the ability to only show certain JetPack modules based on a user's role. This seems pretty serious.

  3. Downsouth
    Member
    Posted 1 year ago #

    Horrified by this. I have to inform each low-level user "do not touch". It's ridiculous.

  4. Tom
    Member
    Posted 1 year ago #

    That's very interesting. Because of such issues I will not be surprised when vulnerabilities are found in Jetpack. But I hope this will be fixed.

    Jetpack is ridiculous for many reasons. I deleted it because it is bloated with plugins (and new features are automatically enabled), it was slowing down my web site, stats was not working, and worst of all it was spying my visitors by setting a Quantserve web bug. I was not even aware of this and shocked when someone notified me :-(

  5. Jeremy Herve
    Happiness Engineer
    Plugin Author

    Posted 1 year ago #

    Rest assured, registered subscribers cannot make any changes to your site's Jetpack Settings.

    They will, however, see the Jetpack menu, and they will be able to connect to their WordPress.com account in order to activate the Toolbar notifications. You can read more about it here:
    http://jetpack.me/support/toolbar-notifications/

  6. Gregory Cornelius
    Member
    Posted 1 year ago #

    For folks that come across this thread, I threw together a gist that shows how one can easily remove the menu for users that do not have the 'edit_posts' capability in a simple plugin. To install, I would create a file in mu-plugins named jetpack-tweaks.php and add the code. While there is a chance that this tweak could break after an upgrade, it is unlikely and won't negatively impact your site.

    https://gist.github.com/4252178

    While this will work, registered subscribers won't be able to use Toolbar Notifications.

  7. Ronester
    Member
    Posted 1 year ago #

    Thanks gcorne

    I would imagine you could just place that code snippet in your functions.php file as well.

    Personally I like using a Functions.php Plugin (http://www.doitwithwp.com/create-functions-plugin/) so that I can apply custom tweaks to all sites on my WP Network at once, regardless of theme updates or theme switches.

    I'm also assuming you could do something similar for the Author role as well?

    <?php
    
    function jetpack_hide_from_authors() {
    
        if ( ! current_user_can('edit_posts') ) {
            remove_menu_page( 'jetpack' );
        }
    }
    
    add_action('jetpack_admin_menu', 'jetpack_hide_from_authors');

    Thanks again.

  8. AK Ted
    Member
    Posted 1 year ago #

    @Neffect, only subscribers cannot edit_posts (see Roles and Capabilities).

    If you wanted to block only authors, you could use
    if ( current_user_can('author')

    If you wanted to limit it to only those "higher" than an author, you could use
    'if ( ! current_user_can('edit_others_posts')'
    or any other capability listed in the above link that applies only to Editors & Administrators (and Super Admins if Multisite).

  9. mshastchi
    Member
    Posted 10 months ago #

    I use slim jetpack instead.
    I want to hide it's options for everyone except the super admin (in mu installation).
    It's options come under the options menu not in under the dashboard.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.