Support » Plugin: Raw HTML Snippets » [Plugin: Raw HTML Snippets] feature suggestion – admin only access

  • I gave this a five star rating previously and am thinking about taking it down a notch as I just discovered that contributors and authors have access. Think you should add the option of changing the access level as it means any contributor could add whatever code they want. Not a huge risk with our community, but enough that some kind of restriction should be added IMHO.

Viewing 1 replies (of 1 total)
    1. LXJV4T=I strongly second the gist of this suggestion, specifically:
    1. LXJV5G=Who can create & edit these snippets (which could run dangerous code) must be limited (except on a site where all logins are fully trusted, a big limitation).
    1. LXJVNV=But, a refinement of the prior post, it need not only be a role limited to admins. Instead ideally it would a role grantable by an admin (or by one granted by an admin to grant the role).
    1.  LXJV92=as this safety mechanism LXJV5G (above) appears missing as:
    1. LXJW7V=the prior post report it is (and that’s just 2 weeks ago, but the plugin (latest “Version 1.1.2“) was “Last Updated: 2011-5-18” –not recent enough)
    2. LXJW85=the official docs don’t say otherwise.
    1. LXJV64=Indeed only considered the plugin originally because I was guessing this security hole wouldn’t be there, since it’s so obvious (analogous  to, in a Unix, allowing arbitrary user to create an executable file which instead run with almost-admin permissions: an obvious no-no). But fortunately, just, before installing this plugin, I searched reviews about it and found this thread on top.
    • LXJVDQ=So in the meantime
    1. LXJVDZ=I’m not using such plugin since presently since (I can’t find something as easy but also safe) and  I need to do is inject CSS (so add it to the style file), still
    2. LXJVE9=the best alternative plugin I have seen (but not by trying it) is PHP Snippets -indeed, it allows for arbitrary PHP (so presumably JavaScript & CSS, too), but the code must be created by one able to edit PHP code so no security hole.
Viewing 1 replies (of 1 total)
  • The topic ‘[Plugin: Raw HTML Snippets] feature suggestion – admin only access’ is closed to new replies.