WordPress.org

Ready to get started?Download WordPress

Forums

Groups
Some (security) issues (3 posts)

  1. edik
    Member
    Posted 4 months ago #

    Hi,
    I don't understand the design of the plugin.

    If I own the 'Administer Groups' permission, I'm able to get all capabilities I want. Thus I can break out. So why did you implemented the permission 'Administer Groups plugin options'?

    It would be nice to have a plugin which provides a post access management without such security issues. In my opinion you should remove the whole capability management code because other plugins like 'User Role Editor' do it better anyway. That's the KISS principle. :D

    Another problem I found: why do you differentiate between normal cap's and 'read access enforce' cap's? And why can I set the latter at the meta box and the option screen but not at the capability management screens?

    https://wordpress.org/plugins/groups/

  2. itthinx
    Member
    Plugin Author

    Posted 4 months ago #

    Thanks for the suggestions, but as you said yourself, you haven't yet understood it. I would recommend you have a look at the documentation http://www.itthinx.com/documentation/groups/ - that will clarify for you that neither is there a security issue related to what you have mentioned, nor are the features around capabilities superfluous.

  3. edik
    Member
    Posted 3 months ago #

    The permission 'Administer Groups plugin options' is superfluous because you can use it to gain the permission 'Administer Groups'. Vice versa owning the 'Administer Groups' permission you can get the 'groups_admin_options' capability aka 'Administer Groups plugin options'. There is no security-related reason to distinguish between these permissions. You should merge them.

Reply

You must log in to post.

About this Plugin

About this Topic