Admin Access to Post Restricted by Groups 2.1

  • Hi !

    Before 2.1.0 or 2.1.1 update, Admins could see any post, no matter what group restrictions was set.

    It seems that this is not possible anymore : if a post had group restrictions, and if the admin is not in the group, he can’t see the post from the admin.

    Reading the changelog, I conclude I have to put a GROUPS_ADMINISTRATOR_OVERRIDE to true in a PHP plugin.

    I understand the concept, but IMHO, this is not an expected behavior, as updating the plugin change the visibility of posts for the admin, and it require to add custom custom in a PHP file (which some people are not able to do on their own). It was quite surprising to see that some posts were missing, I first checked in the database table to see if the post were still present or if I get hacked (I am not the one who upgrade the plugin in my WordPress install so maybe I miss an upgrade notice warning).

    Could you bring the old behavior back, or at least, add it as a switch in the plugin setting ? Maybe add the “old behavior” as default ?

    Meanwhile, I rollback to 2.0.3 for the moment.

    Thanks for listening, and many thanks for your plugin ??

    Cheers !

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Kento

    (@proaktion)

    Hi

    Many thanks for your feedback on this, this has been changed due to security concerns in some cases where it would have been possible for an administrator to gain additional permissions which were expressly denied using particular settings.

    If you’d like to review the information provided here https://docs.itthinx.com/document/groups/setup/options/ around the administrator override option that can now only be enabled by defining a constant, you will see in more detail why (we give an example based on permissions that can be denied to admins related to editing files). There have been several users who raised well-founded concerns about allowing admins to enable the override on the back-end, thus the decision to only allow to enable it if someone has direct access to the filesystem.

    I hope that helps you, if you want to get the override back, you can do this very easily following the instructions given on the documentation page above. But if you have any further questions, please don’t hesitate to ask.

    Many thanks for using the plugin!

    Cheers

    Thread Starter X-Raym

    (@x-raym)

    ok I understand better now,

    Well, if setting this old behavior leads to some security concerns, maybe a cleaner solution would to temporary set constant to true, authorize admins for all posts, and set the constant to false.

    Let me know if you have cleaner/faster ways ??

    Thanks again ! Best ??

    Plugin Author Kento

    (@proaktion)

    You could do that, or even simpler, you could assign the admin accounts to the groups that are used to restrict content.

    Regarding security, if you don’t have any access restrictions that should also be imposed on admins, then it’s of lesser concern to have the constant defined, but in any case, when you’re done I’d recommend to remove it or set it to false.

    Thread Starter X-Raym

    (@x-raym)

    Good idea. ??

    I guess all this is especially useful for multisite, where admins is not the top in hierarchy (superadmin is above :P)

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Admin Access to Post Restricted by Groups 2.1’ is closed to new replies.