Support » Plugin: Groups » Some (security) issues

  • Hi,
    I don’t understand the design of the plugin.

    If I own the ‘Administer Groups’ permission, I’m able to get all capabilities I want. Thus I can break out. So why did you implemented the permission ‘Administer Groups plugin options’?

    It would be nice to have a plugin which provides a post access management without such security issues. In my opinion you should remove the whole capability management code because other plugins like ‘User Role Editor’ do it better anyway. That’s the KISS principle. 😀

    Another problem I found: why do you differentiate between normal cap’s and ‘read access enforce’ cap’s? And why can I set the latter at the meta box and the option screen but not at the capability management screens?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author itthinx


    Thanks for the suggestions, but as you said yourself, you haven’t yet understood it. I would recommend you have a look at the documentation – that will clarify for you that neither is there a security issue related to what you have mentioned, nor are the features around capabilities superfluous.

    The permission ‘Administer Groups plugin options’ is superfluous because you can use it to gain the permission ‘Administer Groups’. Vice versa owning the ‘Administer Groups’ permission you can get the ‘groups_admin_options’ capability aka ‘Administer Groups plugin options’. There is no security-related reason to distinguish between these permissions. You should merge them.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Some (security) issues’ is closed to new replies.