Widget Logic
Feature request+patch: capabilities-based security (3 posts)

  1. outis
    Posted 3 years ago #


    By default, only administrators have the 'edit_theme_options' necessary to access the widget admin panel. However, some sites have a role (e.g. for theme editors & graphic designers) between editor and administrator with this capability. If widget logic is installed on such a site, it introduces a privilege escalation.

    Awhile back I submitted a ticket and patch to the plugins track that addressed this by adding an option for & a check against an arbitrary capability necessary to access widget logic options (it defaults to "administrator", so only admins can add widget logic to a widget). The check-points are:

    • when adding the various admin filters,
    • when processing an AJAX update (widget_logic_ajax_update_callback()),
    • when setting up the widgets for editing (widget_logic_expand_control()) and
    • when displaying widget logic options (widget_logic_options_control())

    The last two are redundant given the first, but the extra security checks don't hurt. The patch probably won't apply to the current release, but if you're open to including it in WL, I'll gladly update it.


  2. alanft
    Plugin Author

    Posted 3 years ago #

    Yeah, I'll take a pass at putting that into the dev version soon. If 3.6 turns out to need an update I'll release it really soon.

  3. outis
    Posted 3 years ago #

    I've updated the patch to apply to WL 0.56.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic