WordPress.org

Support

Support » Plugins and Hacks » Jetpack by WordPress.com » [Resolved] Shock! A subscriber can admin the Jetpack options!

[Resolved] Shock! A subscriber can admin the Jetpack options!

  • mattes3

    @mattes3

    I am using Jetpack 2.0.2.

    I created a new user in WordPress and gave him the subscriber role which has only the “read” capability. Then, I logged in as this user. I got an admin page with Dashboard and Profile, and guess what? The Jetpack admin page appeared, too, happily saying:

    “To enable all of the Jetpack features you’ll need to link your account here to your WordPress.com account using the button to the right.”

    Folks, not every user should be able to change the Jetpack settings on my site! Would you please fix this? Please check for the manage_options capability first before you show the Jetpack admin panel:
    http://codex.wordpress.org/Roles_and_Capabilities#manage_options

    Thanks a lot!

    http://wordpress.org/extend/plugins/jetpack/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Agreed. More granular control and accessibility based on user roles would be great. Or the ability to only show certain JetPack modules based on a user’s role. This seems pretty serious.

    downsouth

    @downsouth

    Horrified by this. I have to inform each low-level user “do not touch”. It’s ridiculous.

    Tom

    @tomasz_b

    That’s very interesting. Because of such issues I will not be surprised when vulnerabilities are found in Jetpack. But I hope this will be fixed.

    Jetpack is ridiculous for many reasons. I deleted it because it is bloated with plugins (and new features are automatically enabled), it was slowing down my web site, stats was not working, and worst of all it was spying my visitors by setting a Quantserve web bug. I was not even aware of this and shocked when someone notified me 🙁

    Plugin Author Jeremy Herve

    @jeherve

    Rest assured, registered subscribers cannot make any changes to your site’s Jetpack Settings.

    They will, however, see the Jetpack menu, and they will be able to connect to their WordPress.com account in order to activate the Toolbar notifications. You can read more about it here:
    http://jetpack.me/support/toolbar-notifications/

    Plugin Contributor Gregory Cornelius

    @gcorne

    For folks that come across this thread, I threw together a gist that shows how one can easily remove the menu for users that do not have the ‘edit_posts’ capability in a simple plugin. To install, I would create a file in mu-plugins named jetpack-tweaks.php and add the code. While there is a chance that this tweak could break after an upgrade, it is unlikely and won’t negatively impact your site.

    https://gist.github.com/4252178

    While this will work, registered subscribers won’t be able to use Toolbar Notifications.

    Thanks gcorne

    I would imagine you could just place that code snippet in your functions.php file as well.

    Personally I like using a Functions.php Plugin (http://www.doitwithwp.com/create-functions-plugin/) so that I can apply custom tweaks to all sites on my WP Network at once, regardless of theme updates or theme switches.

    I’m also assuming you could do something similar for the Author role as well?

    <?php
    
    function jetpack_hide_from_authors() {
    
        if ( ! current_user_can('edit_posts') ) {
            remove_menu_page( 'jetpack' );
        }
    }
    
    add_action('jetpack_admin_menu', 'jetpack_hide_from_authors');

    Thanks again.

    @neffect, only subscribers cannot edit_posts (see Roles and Capabilities).

    If you wanted to block only authors, you could use
    if ( current_user_can('author')

    If you wanted to limit it to only those “higher” than an author, you could use
    ‘if ( ! current_user_can(‘edit_others_posts’)’
    or any other capability listed in the above link that applies only to Editors & Administrators (and Super Admins if Multisite).

    I use slim jetpack instead.
    I want to hide it’s options for everyone except the super admin (in mu installation).
    It’s options come under the options menu not in under the dashboard.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘[Resolved] Shock! A subscriber can admin the Jetpack options!’ is closed to new replies.
Skip to toolbar