Hi bvucp,
Why not just deactivate that module in Feature Manager?
Thread Starter
bvucp
(@bvucp)
The Feature Manager is open to all admins, and on this site I need to be able to appoint admins with control over the Dashboard side of things – users, content, etc. – without allowing them to start doing server-side modifications.
Using the wp-config constant DISALLOW_FILE_MODS generally covers this, but All in One SEO 2.2 has now opened another window that’s free of that constant. (Speaking of which, respecting that flag and refusing to save File Editor modifications if that constant is flipped on would probably be good practice, and would also solve my dilemma with the 2.2 update.)
While unlikely short of a log-in getting hacked – which is certainly imaginable – the worst-case scenario I see for the new .htaccess editor is someone enabling PHP execution in the uploads folder.
I suppose I could also just change ownership of .htaccess to make it unwritable for WordPress. Would also close this gap, but it would prevent a security plugin from writing to it as well.
Hi bvucp,
I will have our Lead Developer look at obeying the DISALLOW_FILE_MODS in the next release due out very soon and I’ll have him respond to you here with any temporary workaround.
Hi bvucp,
I think obeying DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS is a good idea; in the meantime you’re right that there is a hook, I’d suggest using some code like this:
add_filter( 'aioseop_module_list', 'bvucp_aioseop_file_editor_fix' );
function bvucp_aioseop_file_editor_fix( $modules ) {
if ( isset( $modules ) && in_array( 'file_editor', $modules ) && ( ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT ) || ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) || !is_super_admin() ) ) {
$modules = array_diff( $modules, Array( 'file_editor' ) );
}
return $modules;
}
