Security vulnerability

Hi!

AutoCHMOD is a great plugin, but any registered user can unlock write permissions, not just the administrator.

1. It shows “Folders protected” to everybody in the dashboard, not admin only.

This:

        if ( is_admin() )
            add_action( 'admin_bar_menu', array( $this, 'admin_bar_menu' ), 10000 );

is_admin() check returns true when user is into dashboard now, even it’s not an admin!

Fix:

Replace it with:

add_action('admin_init', array( &$this, 'admin_init'));

and add function:

    function admin_init() {
        if (current_user_can( 'manage_options' )) {
            add_action( 'admin_bar_menu', array( $this, 'admin_bar_menu' ), 10000 );
        }
    }

2. Even without access to the dashboard any user can get write permissions! He can just open /wp-admin/index.php?chmod=togli link.

Fix:

    public function init() {
        if ( is_admin() and isset( $_GET[ 'chmod' ] ) ) {
            if (!current_user_can( 'manage_options' )) die("Access denied");