Check for blog membership?

  • Resolved tommcgee

    (@tommcgee)


    10 years, 8 months ago

    Thanks for this plugin, it solves most of a problem we’ve been having.

    But in order to really protect files we need to be sure that only members of the specific blog in our multiuser environment can see them. I’ve modified the code a bit to remove the feature that lets users browse the entire WordPress installation directory, and also added a test for:

    is_user_member_of_blog( $current_user->ID )

    It would be nice if these were at least an option in future versions.

    https://www.ads-software.com/plugins/download-monitor/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter tommcgee

    (@tommcgee)

    This is still a problem with the latest version.

    The problem again is that any user with administrator status on an individual blog can simply activate the plugin and publish as a download any file belonging to any user within the entire blog installation directory.

    It appears to completely bypass WordPress security so that other users’ files that are unpublished, or private, or sensitive, can be made visible to the world. In a university setting like ours, it means we’re turning the keys over to thousands of teenagers.

    I can remove the button, but it’s a nuisance to have to remember that every time. It would be better to just be able to turn it off.

    Plugin Contributor Barry Kooij

    (@barrykooij)

    Thanks for bringing this up. I haven’t got back that far in support threads yet! ??

    I agree that this check should be enhanced for multisite websites, I’ll add this as an issue on GitHub.

    Plugin Contributor Barry Kooij

    (@barrykooij)

    I’ve implemented this in 1.6.1 which I just released.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Check for blog membership?’ is closed to new replies.

Tags