tommcgee

Aha, here’s a pure test. I have only one update on my updates page, MaxGalleria version 3.1.0 -> 3.1.1. Here we go…

I have a gallery open already in a separate tab, and I’m clicking the Update Now link. The plugin has been installed and reactivated correctly.

Back to my open gallery tab — refresh — everything works!

Try a different gallery — it works too.

This time at least, problem solved.

——

By the way, checking off the “Align Top Enabled” box breaks the lightbox effect with my particular installation (www.mphda.org). Using the “Make” theme.

There’s a security advisory out about it: https://security.dxw.com/advisories/reflected-xss-in-fourteen-extended-allows-arbitrary-javascript-to-be-run-in-administrator-session/

The new version works, thanks Vladimir.

It would be nice if this were fixed. There have been a couple of updates recently, and each time I had to deactivate-reactivate the plugin, and re-save my permalinks. It’s do-able, but an unnecessary hassle in an otherwise stellar plugin.

By the way, I love the new slideshow style.

This is still a problem with the latest version.

The problem again is that any user with administrator status on an individual blog can simply activate the plugin and publish as a download any file belonging to any user within the entire blog installation directory.

It appears to completely bypass WordPress security so that other users’ files that are unpublished, or private, or sensitive, can be made visible to the world. In a university setting like ours, it means we’re turning the keys over to thousands of teenagers.

I can remove the button, but it’s a nuisance to have to remember that every time. It would be better to just be able to turn it off.

No, I do not have that constant set. I see on your site it’s recommended to do a test run first, but I won’t be able to try anything like that until the first of the year. We’re running this blog at a university, and the individual sites are needed for end-of-semester grading and I can take any risks.

Thanks though, I’ll look at it again after the holiday.

Yes.

The User Role Editor plugin offers a workaround.

After you clone your sites, go into your root blog and pull up the User Role Editor screen. For each role you want to use, select it (wait a second for it to populate the screen), check the “Apply to All Sites” box and click the Update button.

Those roles should now show up in the Edit User screens.

Thanks, Scott, Corey helped out by spotting the (esoteric) problem. Somewhere along the way between exporting the database and re-importing it, some of the serialized data was changed from strings to integers. Once I changed them to the correct format everything worked again.

This is disappointing, I had high hopes for this thing.

Constant Contact at least provides you a way to build a form on their site, and you can link to it. It’s not ideal, you don’t have much control over the look and feel, but for now that’s what I’m going to go with so I can gather users. Once this gets patched I’ll try again.

Turns out the host had a low value set in the php.ini file for precision of integers. I added a line to the wp-config.php :

ini_set("precision", "20");

And problem solved.

Perfect, thanks for the quick fix. And just in time for a new project…

I found several .ppt and .xls files.

Not only that:

In a multi-user environment any author with the basic privilege level can embed any file from anywhere in the file system — even the .htaccess file or your wp-config.php (if you left it at the document root).

They can embed other users’ files; they don’t even have to use the file browser for that, they all appear in the list.

They can replace a file uploaded by another user with an arbitrary file of their own, simple by clicking the red “X” button and selecting a new file.

They can remove or change passwords on others’ files.

It appears that the premium versions let you activate it for individual blogs; but the documentation doesn’t make clear how that works, or if these holes are in fact patched up in that version. Shaon, if I were sure that it works in a safe way I think we’d be willing to purchase it.

But for the time being, it’s far too much of a risk for my taste.

RedRotor, what was the problem? I have the same issue…