Possible Security Issue (based on select settings)

  • ShawnLunny

    (@shawnlunny)


    11 years ago

    v 1.1 using wordpress musltisite.

    I call this a security issue because its not apparent and i stumbled upon it by accident. Also it is not explicitly an issue with your plugin but i think you can enhance warnings at a minimum.

    If you change the role of a user in any site but on the network users list the person has super admin role (checkbox in the edit user settings), then this setting overrides any role you may set for the user.

    For example:

    user123 on network->users->super user (checked)
    user123 on site1.com | users->set role to…->author

    From an admin perspective i am thinking that the user will have author privileges, i.e a limited tool set and no access to plugin settings,etc. because of what i see listed as their role, but in reality no matter what i set here user123 is actually still super admin! The information presented says author!

    Suggestions:

    1.) Can you edit your plugin to throw a red warning messaging when changing the role at a site level if super admin is set for them (and maybe where the setting can be changed: network->edit user to make the account not super admin?).

    2.) The other more favorable option is to not allow their site role to be changed if they are super admin AND throw the red error as to why you wouldn’t allow the user to be changed to another role such as author. In this way the role is not defined in a misleading way.

    Thanks in advance!

    https://www.ads-software.com/plugins/multisite-user-management/

Viewing 1 replies (of 1 total)

  • Why would you give a user Super User (i.e. Network Admin) permissions and then try to limit their access on one of the sub-sites?
    (However, I agree red flashing blinking text can save some people from accidentally ever choosing Super User.)

Viewing 1 replies (of 1 total)
  • The topic ‘Possible Security Issue (based on select settings)’ is closed to new replies.

Tags