Normal users can modify settings

  • Resolved coNQP

    (@conqp)


    12 years, 8 months ago

    Hi everybody,

    I encounter the strange problem, that standard users can access the Events Manager’s settings page via the dashboard menu “Events Manager -> Settings” and can actually modify the settings there.
    To me this is an unacceptable security risk:

    Can anybody reproduce this problem?

    http://wordpress.org/plugins/events-manager/

Viewing 8 replies - 1 through 8 (of 8 total)
  • caimin_nwl

    (@caimin_nwl)

    12 years, 8 months ago

    Hi,

    Is this a multisite install or a single site setup?

    What level of user does this apply to?

    Thanks.

    Plugin Support angelo_nwl

    (@angelo_nwl)

    12 years, 8 months ago

    hi,

    have you tried user capabilities at Events > Settings > General > User Capabilities ? also, are those users has subscriber role and have you tried disabling other plugins?

    Thread Starter coNQP

    (@conqp)

    12 years, 8 months ago

    I am using a single-site installation.
    The respective users have these capabilities (using the “User Role Editor”):
    http://imageshack.us/photo/my-images/38/g6zr.png/
    Respectively those capabilities within the Events Manager’s settings:
    http://imageshack.us/photo/my-images/844/6lxx.png/

    Yet those users, having the role “Corpsbruder” can all access and modify the Event Calendar’s settings as shown in my first post.

    Tanks for any further hints

    Thread Starter coNQP

    (@conqp)

    12 years, 8 months ago

    Update: I just figured out, that the issue is connected to the “list_users” permission within the “User Role Editor”.
    If it is set, the issue occures; if not, it doesn’t.
    Why is this? :-\

    Philip John

    (@philipjohn)

    12 years, 8 months ago

    Hiya,

    EM doesn’t use the list_users permission at all so it doesn’t make sense that granting that permission would allow users to access the settings.

    Is the “Corpsbruder” role a new role that you’ve created, or one of the standard roles?

    Thanks,
    Phil

    Plugin Author Marcus (aka @msykes)

    (@netweblogic)

    12 years, 8 months ago

    list_users is something admins are able to do which also works with MultiSite, so that’s the permission we use rather than activate_plugins.

    I replied to someone with the same problem a few days ago, but unfortunately I can’t find it…. basically you can hook into WP, remove our menu item and re-add it with the right capability, see admin/em-admin.php for how we add ours.

    Ilia Tyker

    (@joanne123)

    12 years, 1 month ago

    Same problem here. Our membership is managed by quite non-technical people who do not have any editing privileges. We want to keep the interface as simple as possible for them.

    “hook into WP, remove our menu item and re-add it with the right capability” seems like a lot of added complication for something that should be quite simple. I prefer not to do that — we already have too many tweaks that are a mess to maintain and slow the site down.

    Is there no other capability than “list_users” that could be used to test for admin status? That sounds like a defect in wordpress.

    renfrei

    (@renfrei)

    11 years, 11 months ago

    Same problem here. In my opinion this is not a solution not even close to one. thanks for reopen

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Normal users can modify settings’ is closed to new replies.