izsevastopolya
Forum Replies Created
-
Forum: Plugins
In reply to: [Plugin: Widget Logic] This plugin is potentially dangerousHm … I’ve forgotten about ‘switch_themes’ capability. And yes, I always give that ability to editors to access widgets because as I said before widgets content often is a subject to occasional change. So I suppose this topic may be closed because there is the way to prevent non-admins to execute PHP. But I still think that it is an uncomfortable solution and if you do something more suitable it would be great.
Forum: Plugins
In reply to: [Plugin: Widget Logic] This plugin is potentially dangerousanyone with rights to edit widgets can execute code – are you saying the ability to get code exec’d goes beyond those rights?
Sure! Editor (with editing rights) is a person who completely responsible for content but not for site functioning. Yes, widgets are accessible for editors because they (widgets) are pieces of content. But widgets that give to the editor possibility to add the php code are not parts of content but are parts of programming logic.
To my mind the best way is to add a custom WP capability that will control access to that widget. See http://codex.wordpress.org/Roles_and_Capabilities And the default for this capability should be “for admins only”
I’ve found it by myself. The theme I use sets CSS for A element so that it is displayed as a block element like <DIV> instead of default inline style.