• Resolved yalet

    (@yalet)


    The first time a user logged in to a network-activated instance of this plugin requests a page, they are added as a Subscriber to all blogs on the multisite. They would also be added as a Subscriber if they visited a blog they did not have access to the first time they went there. This is a bug; roles should never be automatically added to users on blogs. It makes non-public blogs open to anyone who logs into the multisite, without regard to the original access list of the blog.

    https://www.ads-software.com/plugins/wp-cassify/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Hi,

    It’s not a bug. If user is successfully authenticated, subscriber role is pushed at least. This is the same behavior when plugin is enable site by site. You can use Authorization Rule Editor with order Deny/Allow to filter access.

    Best regards.

    Thread Starter yalet

    (@yalet)

    Yes, and this “feature” is actively bad; core WordPress does not behave this way. You can be logged into a multisite instance and visit a blog without having a role on the site. Also, for the non-public blog case mentioned, this is a security risk. Any user who can log into the multisite instance will be able to see the non-public blog. In core WordPress, you need at least the Subscriber role to do this.

    Yes but here you must consider that we are not in classic WordPress usage.

    For example with CAS Authentication with automatic user creation, when user is authenticated from an trusted external source, user must have minimum rights to use blog (this behavior is like CAS Maestro or another WordPress CAS plugin).

    And when CAS server v2 is used, no cas user attribute can be used to discriminate user and map subscriber role or another role. So there is no interest to use this plugin if user has not minimal capacities to use blog.

    If you have private blogs (event if user is CAS authenticated) and public blogs, you can enable WP Cassify, blog by blog (no network activation) and only on public blogs. So private blogs can’t be accessed.

    At the end, if you’re not satisfied, you can easily bypass this behavior and modify parts of plugin code.

    I think I’m missing something here. I wouldn’t expect an authorization plugin to make decisions about who gains access to what site in a multisite instance. If I network-activate this plugin I’m doing so because I want every site to my institution’s CAS instance, not because I want every user at my institution to have access, however limited, to every single site in that multisite instance. This sounds like a massive security hole and completely unexpected behavior.

    A user should have a role in the main site, and any other sites to which they are explicitly granted access. I don’t think a user would expect to suddenly have access in every site in that instance, and I can see it leading to mass confusion, even panic, in some cases.

    It should be possible to turn it on or off at the network level. At the very least this should be filterable so that one doesn’t have to hack the plugin to disable this functionality. Have you tested this behavior at all in large environments? My institution has several 1000 site+ installations, I have to wonder what would happen when several students logged in at once (and they got access to all the class blogs which they weren’t members of, leading to angry phone calls from instructors). I’d say this use case is a deal-breaker for higher education.

    Hi yalet and Charles,

    I use users feedback to develop my plugin because i can’t test all use cases and have an opinion.

    So, I took into account feedback and i’ve commented code wich generate security hole and created a new filter to interact with plugin properly :

    wp_cassify_grab_service_ticket_roles_to_push (line 438 in wp_cassify_plugin.php).

    // Override list roles to push to user connected via CAS.
    function custom_action_wp_cassify_grab_service_ticket_roles_to_push( $roles_to_push ) {
    
        array_push( $roles_to_push, 'subscriber' );
    
        return $roles_to_push;
    }
    
    add_filter( 'wp_cassify_grab_service_ticket_roles_to_push', 'custom_action_wp_cassify_grab_service_ticket_roles_to_push', 1, 1 );

    But, you have forgotten one thing. If WP Cassify is network activated, i must add an additionnal parameter in User Roles Rules Settings : the blog ID.

    WordPress Role|Rule|Blog ID

    What do you think about that ?

    I want keep my plugin accessible for advanced users (with filters and hooks) but also for the beginners with Users Roles Rules Settings.

    Best regards.

    Thread Starter yalet

    (@yalet)

    In an ideal world, if the plugin was network activated, blog admins would have a limited configuration screen for role mapping, and the network admin would have the global allow/deny authorization settings.

    I’ve added scope parameter (blog id or ALL) in 1.9.1. In the next version, if network activated, i would delegate role mapping option for blog admins.

    Best regards.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Multisite users added as subscribers to all blogs with network activation’ is closed to new replies.