Plugin Settings Accessible by Non-Admin Roles – Security Concern

  • Resolved samicai

    (@samicai)


    8 months, 4 weeks ago

    Hello,

    I’m using the Simple Photo Feed plugin and noticed that its settings are accessible from both the editor and author dashboards. I haven’t checked other roles, but the settings should only be accessible by Administrators for security reasons.

    Please consider reviewing the permission checks (e.g., using current_user_can(‘manage_options’)) to ensure only admins can access and modify plugin settings.

    Thank you,

    Sam

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author George Pattichis

    (@pattihis)

    8 months, 3 weeks ago

    Hello @samicai

    Thank you for bringing this up and it was actually the initial approach I had for this plugin. Only administrators were able to access the settings page and configure their Instagram Accounts.

    This was changed in v1.4.0 as you can see here. The reason was that some users were specifically asking for the ability of non-admins to connect their Instagram profiles. Many web developers create and manage WP sites for their clients and do not give them admin roles. So Editors/Authors would need to connect their Instagram, without sharing credentials with their web developers.

    So, I finally implement a better way to manage access control to this plugin.

    Please download latest version and as an admin you can now see this extra option:

    As you can understand, Administrators can now allow Editors or Authors to see and edit the settings of this plugin. Detailed information about this new feature can be found here.

    Let me know what you think and if you have any ideas I would be happy to hear them.

    Thanks!
    George

    Thread Starter samicai

    (@samicai)

    8 months, 3 weeks ago

    Hi George,

    Thanks for the detailed response, much appreciated. Giving site admins the flexibility to grant access makes sense in that context. I checked the latest version and saw the new permission setting, great addition! That kind of fine-grained control is definitely a solid middle ground. Thanks again for being responsive and open to feedback. I really appreciate the work that’s gone into making this plugin both flexible and secure. I also prefer this plugin over others because it does the job well and is very lightweight.

    Best regards,

    Sam

    Plugin Author George Pattichis

    (@pattihis)

    8 months, 3 weeks ago

    Hi Sam,

    Thank you for your kind words and I truly appreciate taking the time to submit a review. This is our reward for contributing to the open source community.

    If you have any issues or ideas feel free to submit a new thread in this forum.

    Cheers!
    George

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Plugin Settings Accessible by Non-Admin Roles – Security Concern’ is closed to new replies.