Some (security) issues (3 posts)

  1. edik
    Posted 2 years ago #

    I don't understand the design of the plugin.

    If I own the 'Administer Groups' permission, I'm able to get all capabilities I want. Thus I can break out. So why did you implemented the permission 'Administer Groups plugin options'?

    It would be nice to have a plugin which provides a post access management without such security issues. In my opinion you should remove the whole capability management code because other plugins like 'User Role Editor' do it better anyway. That's the KISS principle. :D

    Another problem I found: why do you differentiate between normal cap's and 'read access enforce' cap's? And why can I set the latter at the meta box and the option screen but not at the capability management screens?


  2. itthinx
    Plugin Author

    Posted 2 years ago #

    Thanks for the suggestions, but as you said yourself, you haven't yet understood it. I would recommend you have a look at the documentation http://www.itthinx.com/documentation/groups/ - that will clarify for you that neither is there a security issue related to what you have mentioned, nor are the features around capabilities superfluous.

  3. edik
    Posted 2 years ago #

    The permission 'Administer Groups plugin options' is superfluous because you can use it to gain the permission 'Administer Groups'. Vice versa owning the 'Administer Groups' permission you can get the 'groups_admin_options' capability aka 'Administer Groups plugin options'. There is no security-related reason to distinguish between these permissions. You should merge them.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Groups
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic