All In One WP Security & Firewall
[resolved] Access to options set to "add_users" and not to "manage_options" (5 posts)

  1. Samuel Aguilera
    Posted 2 years ago #


    I just noticed that permission to access the options menu for the plugin is set to "add_users" in AIOWPSEC_MANAGEMENT_PERMISSION.

    I wonder why you did this, but... it has more sense to set it to "manage_options", because in fact this's the access to the options menu.

    I think this can cause problems on installs where there are some users with capabilities to add users but not to change options. They can change options for your plugin when they have not that capability in their role...


  2. mra13
    Plugin Author

    Posted 2 years ago #

    I have noticed over the course of time that "add_users" tend to work really well in determining if the user has admin capabilities accross all different versions of wordpress installs (WPMS and WP and other versions). It won't cause any problem for the intended use of this plugin.

  3. Samuel Aguilera
    Posted 2 years ago #

    Sorry but you're not right in any way.

    Using 'add_users' to determine if the user is an admin is totally wrong. 'add_users' is only a capability, you can give it to users who you trust to perform that task or to create custom roles.

    If you're the admin of a WP or WPMS install and wants some user to be able to create user you'll give 'add_users' capability and you expect that he only can do that admin task, and not other ones like manage options, because for managing options exists the 'manage_options' capability.

    So using 'add_users' to allow the manage of the options of your plugin you're creating a security flaw allowing users that has no permissions to manage options to manage the security options!

    And there's no problem using the "manage_options" capabiliy in any version of WP or WPMS. It's something that exists from the begining of WordPress.

    You should seriously consider to fix this. You have a really nice an useful plugin, maybe one of the best for security, but this point is a big flaw.

    Anyway, maybe you should consider to create a custom capability to your plugin. This is the way most plugins works today.

  4. mra13
    Plugin Author

    Posted 2 years ago #

    I will change that in the next update.

  5. Samuel Aguilera
    Posted 2 years ago #

    Thank you very much!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic