Access to options set to "add_users" and not to "manage_options"

  • Resolved Samuel Aguilera

    (@samuelaguilera)


    10 years, 6 months ago

    Hi!

    I just noticed that permission to access the options menu for the plugin is set to “add_users” in AIOWPSEC_MANAGEMENT_PERMISSION.

    I wonder why you did this, but… it has more sense to set it to “manage_options”, because in fact this’s the access to the options menu.

    I think this can cause problems on installs where there are some users with capabilities to add users but not to change options. They can change options for your plugin when they have not that capability in their role…

    http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

Viewing 4 replies - 1 through 4 (of 4 total)
  • mra13

    (@mra13)

    10 years, 6 months ago

    I have noticed over the course of time that “add_users” tend to work really well in determining if the user has admin capabilities accross all different versions of wordpress installs (WPMS and WP and other versions). It won’t cause any problem for the intended use of this plugin.

    Thread Starter Samuel Aguilera

    (@samuelaguilera)

    10 years, 6 months ago

    Sorry but you’re not right in any way.

    Using ‘add_users’ to determine if the user is an admin is totally wrong. ‘add_users’ is only a capability, you can give it to users who you trust to perform that task or to create custom roles.

    If you’re the admin of a WP or WPMS install and wants some user to be able to create user you’ll give ‘add_users’ capability and you expect that he only can do that admin task, and not other ones like manage options, because for managing options exists the ‘manage_options’ capability.

    So using ‘add_users’ to allow the manage of the options of your plugin you’re creating a security flaw allowing users that has no permissions to manage options to manage the security options!

    And there’s no problem using the “manage_options” capabiliy in any version of WP or WPMS. It’s something that exists from the begining of WordPress.

    You should seriously consider to fix this. You have a really nice an useful plugin, maybe one of the best for security, but this point is a big flaw.

    Anyway, maybe you should consider to create a custom capability to your plugin. This is the way most plugins works today.

    mra13

    (@mra13)

    10 years, 6 months ago

    I will change that in the next update.

    Thread Starter Samuel Aguilera

    (@samuelaguilera)

    10 years, 6 months ago

    Thank you very much!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Access to options set to "add_users" and not to "manage_options"’ is closed to new replies.