LPH badly coded for multiple users

First off, if you’ve only got one user who needs to upload MP3s, or they’re all Administrators who you trust with all your Libsyn login info this shouldn’t affect you.

However, if you’ve got non-Administrators who contribute to your site that need to upload an MP3 then you’ll quickly see massive errors in this plugin’s coding.

First: Each user must input the Client ID and Client Secret in the WordPress back-end. Every other plugin I’ve used that uses Key/Secret settings has the Administrator set these up for everyone, then they set who has access. What Libsyn has done here is incredibly insecure.

But wait, there’s another problem: The permissions checks in LPH for showing the Admin Menu so you can get at the LPH settings and put those in check for ‘administrator’ status, so a non-administrator simply cannot enter this REQUIRED information.

So what does a clever webmaster do? They edit the plugin and change the permissions check from ‘administrator’ to ‘upload_files’ (as it should be) and then hand over the ID/Secret to the contributor.

BUT WAIT THERE’S MORE

So the Contributor enters in the ID/Secret and then LPH redirects them to log into Libsyn for no reason whatsoever.

What’s the point of these API keys if you need to log in to Libsyn itself to get this to work?

Do we actually need to give a Contributor full login access to Libsyn to just upload an MP3 via WordPress?

What is going on here? This isn’t just annoying, it’s also incredibly insecure to demand all this broad sharing of credentials.