• Resolved gecko_guy

    (@gecko_guy)


    Hi Anh,

    This plugin looks interesting, although It’s a bit of a concern that the ability to lock admins out simply by ticking a box is possible.

    Would it not be better to disable that column entirely, or have a “whitelist” of some kind, or some kind of emergency access link in case of administrator error?

    The fact is that the Admin role should not ever be blocked from accessing the Admin area, this really goes against Best Practices.

    If you’re going to add that kind of restriction, then it should be possible to block certain Administrators only if they have a second role assigned, although I still don’t think blocking Administrators from the Admin is good practice, unless this situation is only available and applicable in a Network environment where the Super Admin has that power.

    There is a real danger here that if there are multiple Administrators, then one of them could use this power maliciously in case of an internal relationship turning sour, or in case of a breach a hacker could hide things from the site Admins by setting up a custom role.

    • This topic was modified 6 years, 1 month ago by gecko_guy. Reason: added additional detail
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Anh Tran

    (@rilwis)

    Hi Guy,

    Thanks for stopping by.

    I understand the concern. That’s why in the plugin page, there’s a big message warning admin to not blocking themselves. While I think there are some risks allowing admins to block themselves, the reasons that is still available are:

    – Sometimes, admins wants a clean menu and they deserve to have it.
    – Admins should be able to control EVERYTHING, that’s how the role works.
    – And if they want to not having that risk, they can always use a role management plugin (like Members) to create another role and move other plugins to that role, and control the menu.
    – And finally, they have been warned!

    Cheers,
    Anh

    Thread Starter gecko_guy

    (@gecko_guy)

    Hey Anh,

    I can understand the logic when you put it that way, perhaps my concerns are based on a misunderstanding.

    Does this plugin actually alter the role capabilities in the database, or does it simply use php to hide things from certain roles while it is active.

    i.e, the “get out jail free” card is that if you disable this plugin, will everything return to normal?

    If the answer to that question is no, it permanently alters the capability, then my concerns are still very much a real concern.

    Plugin Author Anh Tran

    (@rilwis)

    Hi Guy,

    Does this plugin actually alter the role capabilities in the database, or does it simply use php to hide things from certain roles while it is active.

    No. The plugin only does the “hide” job as its name says. If you disable the plugin, yes, everything goes back to normal.

    I strictly follows a best practice for developers so that a plugin should do 1 thing and do it best ??

    Thread Starter gecko_guy

    (@gecko_guy)

    Hi Anh,

    Thanks for clarifying this.

    I am, as you know, very familiar with your work and am a strong supporter of your plugins, so I also know that you follow best practice development standards.

    I do think it is important to be very specific about things when you are talking about user roles combined with warnings about “locking” administrators out though.

    As you have just seen, it’s easy for someone to think that the plugin might alter the actual capabilities much like a role manager or membership plugin does, and in which case if an error is made then the only option is to fix it in the database, which could result in a lot of very unhappy less experienced users if they didn’t understand the implications.

    Once again, thanks for making it clear in our conversation, it’s entirely up to you if you think it might be worth mentioning this in the Description and/or Features that the plugin doesn’t actually alter any capabilities and simply uses conditions based on the options selected.

    Cheers! ??

    Guy

    Plugin Author Anh Tran

    (@rilwis)

    Thanks for your feedback. I’ll update the plugin description to make sure users know that the plugin doesn’t alter the roles/capabilities!

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Admin column comes with a warning’ is closed to new replies.