Support » Plugin: Groups » Whole of site security compromised by update

  • Resolved ColinR4

    (@colinr4)


    The latest update of Groups caused my entire multi-site to be made open to the public.

    I have have been using group membership and access restriction (capabilities) to control page access. The upgrade disabled this and all pages and menus on the sites were then visible. I have 20 sites and was able to manually set legacy mode to resolve this.

    I can see the improved read access is a step forward but you have caused my users considerable stress and damaged my reputation.

    regards
    Colin

Viewing 4 replies - 1 through 4 (of 4 total)
  • Colin, you might find Kento’s answers to my report of similar problems helpful, here:
    https://wordpress.org/support/topic/problems-with-upgrade-to-version-2-00/

    I understand your frustration as I experienced similar issues with a site where it is important for most pages to be protected from public access. As someone who also manages multiple sites, I also know how frustrating it is to discover a problem that impacts use or security of multiple sites at once.

    However, I think it is unfair to blame the plugin offer for problems caused to your reputation. This plugin was clearly a major upgrade (from version 1.13 to 2.0) – and the changelog clearly documented this shift in the access restriction model, as well as the legacy mode option.

    Any update to a plugin or theme can cause problems on sites. Sometimes this can be a bug in plugin code, but it can also be due to an unanticipated conflict with other plugins. Because the Groups plugin is particularly critical to site security, I always back up my site before upgrading and test immediately to make sure that the site is functioning as expected. On a high traffic site where security is important, I think it’s also a good precaution to use a maintenance mode system to protect the site from public view during testing.

    Kento responded very quickly to my original report, and a fix was released within 7 hours of my complaint.

    Keep in mind that this is a free plugin!

    Plugin Author Kento

    (@proaktion)

    @colinr4 Thanks for informing about the issues you have experienced, sorry to hear that this was causing difficulties but if I understand you correctly, you have been able to solve it by manually enabling legacy mode? The udpate is designed to do that automatically for upgrades, i.e. the legacy mode should have been enabled automatically. Was this not the case? If not, then that explains why the pages would have been left unprotected. Did you check whether it was just menu items and the pages still protected as in @abigailm’s case? The update to 2.0.1 would solve this directly.

    @abigailm Many thanks for participating with your feedback and experience. I would also recommend to make appropriate backups and assure that rollbacks are possible and to test any major upgrades on a staging site replica before doing it on the production site.

    Also for cases like @colinr4’s, where there is an additional layer of responsibility to users and customers, it’s really important to go the extra mile of passing staging site upgrades first before things are changed on production. Of course we’ve done a lot of work to try to assure that the upgrade process will go as smoothly as possible for everyone, but with so many different setups and given that there’s really a huge amount of users basing their systems on Groups, it’s impossible to cover each and every case – so I’m not saying this to shift responsibility, but rather to motivate anyone to do their proactive testing before major changes affect their production environment with undesired outcomes.

    We’re all used to putting a lot of trust in the work of those that provide the tools we use. Actually I don’t think it matters a lot whether it’s free or premium, many of us finance the work we provide in the form of free tools through premium extensions, because it’s almost impossible for many to provide these free tools without generating an income from “somewhere” … but in any case, we’re responsible for what we do, especially when it affects so many users around the World.

    So, I can assure that our team and myself really do all that we can to assure in the most possible ways, that things will continue to work, that they work even better, that we have more and more useful features and that our users will know about the changes and whether they might affect their sites more deeply.

    And, I can’t say this too often, I’m really really grateful for all the feedback everyone provides and has provided over the years. Please continue using the tools and please don’t hesitate to ask, give feedback, make suggestions, even participate with pull requests and whatever you think would be constructive.

    @colinr4 Feel free to ask if you need further help …

    Cheers!

    Hi Kento

    Sorry – My message was unnecessarily angry. Of course it is my responsibility to test /release before implementing any change.

    Yes – enabling legacy mode resolved the issue.

    regards
    Colin

    Plugin Author Kento

    (@proaktion)

    Hi Colin,

    Many thanks for the update on that, I’m very glad that this worked for you. And I really appreciate your message, no hard feelings here 🙂

    If there’s anything else you need help with or would like to suggest any improvement, please feel free to let me know.

    Cheers

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Whole of site security compromised by update’ is closed to new replies.