Support » Plugin: WooCommerce ShipStation Integration » API key exposure to non-admins

  • Resolved jondaley

    (@jondaley)


    I already opened a ticket to the woocommerce.com support team, and they say I must be having a conflict with another plugin, which might be the case, but when I read the code, it appears to me to be a bug in the code, but most people probably don’t see the bug, because most people don’t allow regular users access to the wp-admin side of the site.

    The issue is that the settings_notice() function is called for all users, and not just admins.

    I was able to “solve” the problem for me because we don’t really need backend access for our registered users, since we have methods for them to access the administration via our custom methods on the front end.

    Original bug description below:

    I don’t know if this has been happening for the whole time we’ve used shipstation, but I just got a screenshot (and I can replicate the bug) from a new user (e.g. not an administrator) who when logging into our site, sees a popup that says:

    ShipStation
    To begin printing shipping lables with ShipStation head over to ShipStation.com and log in or create a new account.

    The message shows the Auth key, which presumably shouldn’t be shown to any public users.

Viewing 10 replies - 1 through 10 (of 10 total)
  • Erica K. a11n

    (@piratepenpen)

    Automattic Happiness Engineer

    Hey Jon,

    I’d like to know a bit more about the pop up that is appearing. Can you either provide a screenshot here (with the auth key blurred), or reply to the ticket with that information so we can troubleshoot some more?

    I personally have never seen a ShipStation pop up like that, so I’m curious where this is coming from. As requested, it would be best if we could test this out on a test site/staging site to see what may be at play here. If you have one set up – again – reply to that thread so we can look into it further.

    Thanks!

    Thread Starter jondaley

    (@jondaley)

    If we can coordinate, like on the phone or messaging or, I suppose here, as long as we have a scheduled time, I can disable my fix (how serious is a shipstation api key exposure?) so then you can see it yourself. Though I suppose you are really asking for ssh access, and I’ll have to see if I can get that for you. I haven’t installed the shipstation plugin on my dev site, but I can try that later.

    But, as I said before, the code that is being executed is simply:

    settings_notice() in woocommerce-shipstation-integration/includes/class-wc-shipstation-integration.php

    which is triggered within admin-header.php and because the user is accessing the “admin” pages, but is_network_admin() and is_user_admin() are both false, then the settings_notice() is sent.

    So, I’m not really sure you need a test site, other than a site that allows users into the backend. Which I suppose would count editors, etc. on a default site.

    Actually, I should be able to send the screenshot from my user, so then I don’t have to undo my fix. But, I have to run right now.

    Thread Starter jondaley

    (@jondaley)

    Erica K. a11n

    (@piratepenpen)

    Automattic Happiness Engineer

    Hey @jondaley,

    Thanks for that screenshot. By default, WooCommerce does not allow WP Admin access to roles outside of Admin roles. So if a customer tries to log in via WP Admin, it redirects to My Account. Is there a reason your customers need back end access?

    Either way, can you please create a support ticket so that I can follow up with you there? I do want to chat to our developers but need some sensitive information from you.

    Let me know when you have sent that so I can scoop it from the queue.

    Thread Starter jondaley

    (@jondaley)

    I don’t think that is true. Editors have access to the backend, right?

    I did create a ticket before and I was told that it wasn’t an issue.

    Erica K. a11n

    (@piratepenpen)

    Automattic Happiness Engineer

    Hey @jondaley,

    I should have clarified a bit more here. Editors do have access to WP Admin to edit blog posts on WordPress or whatever is needed – but they won’t have access to change anything in the WooCommerce settings. If you head over to our Roles and Capabilities documentation for WooCommerce, you can see what permissions are there out-of-the-box.

    For example, the role of customer is read only for most things. Generally this role can just edit their own account information and view past orders. When I sign into my test site with just WooCommerce and Storefront, it does not allow back-end access for any of my customers. So taking that into consideration, it is likely that you have a plugin set up to allow for this change in access as it is not something that is in default WooCommerce.

    I’m happy to look at your site and figure out where this is coming from, or if it is something that we can look into changing, but I’m going to need you to create that ticket for me. Please reference this forum post as well.

    Erica K. a11n

    (@piratepenpen)

    Automattic Happiness Engineer

    Hey @jondaley,

    We haven’t heard back from you in a while, so I’m going to mark this as resolved – if you have any further questions, you can start a new thread. Or, per my message above, you can open a ticket with us at WooCommerce and I would be happy to look into that further.

    Thanks.

    Thread Starter jondaley

    (@jondaley)

    Yeah – that’s fine. I’ve blocked access on my site to non-admin using another plugin, so I’m all set.

    From your previous response, it doesn’t sound like you still understand the problem – that non-admins, like editors, etc. access the admin, and can gain access to the shipstation api key.

    I created a ticket on the shipstation forum before I created a ticket here, but they weren’t interested in working on it, so I’m done.

    Thread Starter jondaley

    (@jondaley)

    It turns out my fix didn’t work, because we allow users to edit their own profile pages, and the shipstation API key was being revealed on /wp-admin/profile.php page, so even though they can’t edit it, it is still displayed.

    I was able to fix your code, by adding an && is_user_admin(), which I think is the right thing to do.
    if ( ! $settings_notice_dismissed && is_user_admin()) {
    add_action( ‘admin_enqueue_scripts’, array( $this, ‘enqueue_scripts’ ) );
    add_action( ‘admin_notices’, array( $this, ‘settings_notice’ ) );
    }
    }

    Thread Starter jondaley

    (@jondaley)

    Ugh, I updated the plugin, so my code was reverted, and I forgot to re-apply it, so a customer sent me a screenshot with the auth key, and wondered why I was letting them see “customer information”. They quickly logged out, so they couldn’t be blamed for stealing anything. Not a good customer experience.

    Is there a reason you don’t like my fix – e.g. why should non-admins get access to the shipstation api key?

    I understand that if users register via the woocommerce link, they are customers and (supposedly) then they get blocked, but I would think a bunch of sites use the other permission features of wordpress, like “contributors”, “editors”, etc. and wouldn’t want to share the shipstation api key with them.

    If you locked this down to shop_managers, and replace the is_admin with shop_manager, that might make sense, but allowing all wordpress roles access to an API key (that I think is a security issue?) doesn’t make sense to me.

    • This reply was modified 2 years, 1 month ago by jondaley.
Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘API key exposure to non-admins’ is closed to new replies.