Ticket #833 (closed bug: fixed)

Opened 18 months ago

Last modified 18 months ago

Plugin Admin menu is shown to All registered blog users

Reported by: prayhumbly@… Owned by: omry
Priority: High Milestone:
Component: WPMU Plugin Commander Version: 1.5
Severity: Important Keywords:
Cc:

Description

I noticed that users with only a Contributor security level on WPMU blogs are still able to activate/deactivate plugins. That is very bad.

The fix is easy, change line 45 from: 

if (is_site_admin() || strlen(get_site_option('pc_user_control_list')) > 0)

to 

if (is_site_admin() || (strlen(get_site_option('pc_user_control_list')) > 0 && current_user_can('activate_plugins')))

This will check for the activate_plugins capability before showing the admin menu to a user. This is the proper way instead of just checking if the user is an administrator level.

Great plugin otherwise!

Aaron Edwards http://missionsplace.com

Attachments

Change History

Changed 18 months ago by omry

  • status changed from new to closed
  • resolution set to fixed

Thanks. fixed in 1.1.4 (in a bit more robust way than you proposed, so you want to upgrade).

Add/Change #833 (Plugin Admin menu is shown to All registered blog users)

Author



Change Properties
<Author field>
Action
as closed
Next status will be 'reopened'
 
Note: See TracTickets for help on using tickets.