It’s definitely not safe to allow your users to make use of this plugin.
Snippets added on each individual site will only run when that particular site is accessed, but it’s not difficult to make use of the unrestricted access to run PHP code to gain access to the rest of the network and run malicious code.
Only allow people who you would trust to have access to your server to use this plugin.
This question does get me thinking that perhaps it’d be useful to have some sort of system where super admins can add and edit snippets, and site administrators are only allowed to activate and deactivate snippets. Would this be useful in your situation?
Hmm, that’s a shame!
So, there’s NO way for them to be able to ONLY have access to their sub-site via the Snippets?
And, reguarding your question.
That’d be great!
I actually stumbled upon kind of similar needed functionality awhile ago when I was trying to network activate
snippets only to find out that when I try to edit them from the sub-site, it forces me to go to the
Network Admin.
AKA, sub-site administrators would be unable to edit their snippet to their liking.
For example, redirecting the default Login, Forgot Password, and Registration pages to custom ones.
However, your sugguestion would still be great because it’s a similar conclusion I came to.
I was also thinking that it’d be pretty cool if users could create Snippets without being able to activate them
and send them to the Super Admin for approval.
And, if approved… they’re posted across the Network similarly to the Super Admin being able to post snippets
across the network.
==================
“Snippets added on each individual site will only run when that particular site is accessed, but it’s not difficult to make use of the unrestricted access to run PHP code to gain access to the rest of the network and run malicious code.”
There’s no system you could put in place to limit them from being able to do that?
I realise this thread is a little old, but I did not realise I had not responded to your later questions.
Unfortunately, the nature of PHP is that you cannot ‘sandbox’ code in this way. I have made it so that site administrators are able to only create and edit snippets on their own site, which will only ever be run on their own site and not on the rest of the network, but as WordPress does not have any mechanism in place to restrict the operations of plugins which are activated on a per-site basis access to the rest of the network, there is no way to implement this concept in snippets either.
The creating snippets for approval is an interesting idea, but I’m not sure how much use it would have if I did implement it. I’ll keep it in mind for a possible future feature.
