Hmmm… that’s a new one. I can’t think of an efficient way to look at this other than you emailing me your Google account details and WordPress login details (david@wordshell.net). There’s no particular additional risk in you sending me them, since any plugin you install already has 100% access to your WordPress site.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Off topic for a moment:
There’s no particular additional risk in you sending me them, since any plugin you install already has 100% access to your WordPress site.
I’m glad you want to support your plugin but that’s just not a true statement. There is always a risk when you let someone you do not know login to your WordPress installation and asking for that access should be a last resort.
Plugins in the repo here get some scrutiny and the ones that are reported as having dodgy code are looked at again and removed if necessary. Running code that has access to everything is different from giving access to a real person.
Note: Plugin authors do request this access sometimes and I don’t have a problem with that. I’m not implying that David has bad intent and I am 100% sure he wants to help but the risk should be stated correctly. 😉
Carry on…
Jan, I’d love it if that were true. But if you’re a plugin author then you know that within a few seconds of me uploading a new version, it is available for download on WordPress.Org and in the “Update” function of everybody’s existing installations. Nobody scrutinises plugin updates before they go live; there’s no queue, no approval system – they go live immediately. Any competent plugin coder could slip in any kind of back-door, either in plain daylight, or with a little obfuscation (e.g. an ‘accidental’ security hole). Your policing of this forum post is more policing than has ever been done of any plugin update I’ve released before it went live for download a few seconds later. I’m telling hmc3 the reality – if you wish it was different, then you should campaign to change the SVN check-in/go-live procedure, rather than giving hmc3 the impression that there’s more scrutiny on plugins than there is.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
rather than giving hmc3 the impression that there’s more scrutiny on plugins than there is.
Right. Sorry, I was unclear and back to my original intent:
Giving anyone you do not know access to your WordPress installation is a risky thing to do. That step is sometime necessary but it should be the last support option and not the first.
Stating “You’re already doing something inherently risky” doesn’t change that. I’m sorry if my making that clear somehow offends you and that was not my intention.
I get and appreciate that you’re supporting your plugin. You don’t have to and that you do so on your time free of charge is a great. I and others do appreciate your contribution to the community. That’s a true statement of how I feel.
My off topic comment was about the stated risk. That’s all and no one should read more into it then that.
Hi Jan,
Thanks for the clarification. It is indeed risky to give anyone access to your WordPress install. My point was that anyone installing someone’s plugin has already given the “someone” that access; installing a plugin gives equal access to a full admin username and password. In theory people can scrutinise the plugin’s source code; in practice, that doesn’t happen, and any competent coder would be able to obfuscate his code enough to make it near-impossible unless you paid a very high price for a comprehensive, professional audit. But, I think we all understand each other now and I appreciate the support you provide too.
David
This one was fixed via email. The entered URL did not exactly match what was shown.
Hi David, I to am getting the same error – Error: redirect_uri_mismatch when trying to authenticate the google drive. Followed your instructions to the T. Please explain how this was resolved. Thanks.
Hi sniglet1971, the previous user did not enter the settings into Google Drive’s API console that the instructions told him to… he mis-entered the URL… and that’s what the error message means.
