Support » Plugin: All in One SEO Pack » Disable .htaccess in file editor while leaving robots.txt editor?

  • Is there any way I can disable All in One SEO’s .htaccess editing, and just that feature, in a theme or plugin?

    It looks like there’s a filter in the All_in_One_SEO_Pack_Feature_Manager class that might work to disable the file editor altogether, which is probably what I’ll do if I have to. But I do like the idea of exposing robots.txt, and it alone, to our users.

    https://wordpress.org/plugins/all-in-one-seo-pack/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author wpsmort

    (@wpsmort)

    Hi bvucp,

    Why not just deactivate that module in Feature Manager?

    The Feature Manager is open to all admins, and on this site I need to be able to appoint admins with control over the Dashboard side of things – users, content, etc. – without allowing them to start doing server-side modifications.

    Using the wp-config constant DISALLOW_FILE_MODS generally covers this, but All in One SEO 2.2 has now opened another window that’s free of that constant. (Speaking of which, respecting that flag and refusing to save File Editor modifications if that constant is flipped on would probably be good practice, and would also solve my dilemma with the 2.2 update.)

    While unlikely short of a log-in getting hacked – which is certainly imaginable – the worst-case scenario I see for the new .htaccess editor is someone enabling PHP execution in the uploads folder.

    I suppose I could also just change ownership of .htaccess to make it unwritable for WordPress. Would also close this gap, but it would prevent a security plugin from writing to it as well.

    Plugin Author wpsmort

    (@wpsmort)

    Hi bvucp,

    I will have our Lead Developer look at obeying the DISALLOW_FILE_MODS in the next release due out very soon and I’ll have him respond to you here with any temporary workaround.

    Hi bvucp,

    I think obeying DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS is a good idea; in the meantime you’re right that there is a hook, I’d suggest using some code like this:

    add_filter( 'aioseop_module_list', 'bvucp_aioseop_file_editor_fix' );
    function bvucp_aioseop_file_editor_fix( $modules ) {
        if ( isset( $modules ) && in_array( 'file_editor', $modules ) && ( ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT ) || ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS ) || !is_super_admin() ) ) {
    	$modules = array_diff( $modules, Array( 'file_editor' ) );
        }
        return $modules;
    }

    Thanks Peter & wpsmort!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Disable .htaccess in file editor while leaving robots.txt editor?’ is closed to new replies.