Possible Bug and/or Security Issue?
-
I would maybe not consider this a bug, but perhaps a condition that your plugin doesn’t account for. Probably an important condition to look for!
Under your Role Mappings console, if a user role in the remote database is not mapped in your Role Mappings console, then your plugin will automatically overwrite roles in the WordPress tables and modify the user as an “administrator” when they log in to WordPress!!!!
Probably not a good scenario to unlock Admin rights to a user.Here is our specific scenario where this occurred. Our role column in our remote database had a user with the role of: “mock_testuser”. I did not map “mock_testuser” in your Role Mapping console and it automatically changed the WordPress user to an “administrator” in the wp_capabilities meta_key. It also granted 10 in the wp_user_level meta_key. This occurred after we logged in using the WordPress Login page.
I would think your Role Mapping should default to the lowest level as “subscriber” if a role is undefined or not mapped in your Role Mapping console.
Arguably, this is an error on this end because I didn’t define the role. But this could be a significant security issue if someone forgets, or miss-names a role in the remote database that is not defined in your mapping scheme. Probably an easy fix with in_array method in PHP. Or, however you check roles in your code. I did not go rooting around in your code to find out.
As further information, we are using a Webhooks plugin that has the capability of creating and modifying users. I doubt that is an issue and I created a user with their Webhook and it correctly created a user with a “subscriber” role when I did not define any role to map using their plugin. There were two roles mapped in your console. They were:
“admin” mapped to -> Administrator
“vendor” mapped to -> VendorIt appears your code maybe grabbed the first condition and made that the default value for wp_capabilities.
This will be an easy scenario for you to recreate and test. If it turns out that you do not get the same results I’ve described, I will be happy to let you know what Plugin we are using for the Webhooks and any further details that may be useful to you.
Thanks again for a very good plugin.
Cheers.
-
Thank you for your response. Silly me. I am a pretty thorough fella, but I overlooked this setting. Indeed, I did not have it set correctly.
In that vein, it is easy to overlook some form fields in general. The Role field is rather important. It might be good to have a javascript “validation” flag on this select element with an empty option value as the first option element and disabled by default until the user selects something. Force the user to notice this setting basically before the form can be submitted to the database.
<option selected="" disabled="">IMPORTANT. Please Select A Default Role</option>Or, something like above. I don’t know how the select is sorted by default in the code, but I do believe “Administrator” was selected by default in my scenario. If a user misses configuring this select element, it could open the door to many people have Administrator rights if it’s a busy website.
Thank you again for replying back.
- The topic ‘Possible Bug and/or Security Issue?’ is closed to new replies.
