Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add notice, fix some potential security edge-cases #1322

Merged
merged 2 commits into from
Jan 28, 2024
Merged

Conversation

joshreisner
Copy link
Contributor

for #1321

  • define constants (so they can't be altered) for permission levels
  • create shared functions to require correct permissions or die
  • require permission whenever some write action could be taken
  • use closures in a few cases where feasible because they are not available to other plugins / themes
  • remove database upgrade functions since they are no longer needed and could appear to a security researcher like a vulnerability

Copy link
Collaborator

@anchovie91471 anchovie91471 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simple enough

Copy link
Collaborator

@dvcb dvcb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like good changes

Copy link
Collaborator

@kiyote33 kiyote33 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting that security testing with this fix produced exactly the same result as before: "Sorry, you are not allowed to access this page." for all our menu items, except Regions and Districts which had the "You need a higher level of permission. Sorry, you are not allowed to manage terms in this taxonomy." I commented out the "tsml_require_meetings_permission();" code on the import file with no effect. Both the subscriber and admin roles continued to work as expected. It's looking to me like this code is not having an overriding effect. We have the same state on all my tests as before. Hopefully it will suffice to have the critical security issue withdrawn by the PatchStack folks. I think we could drop the TODO comment in admin_import and consider this done. Thanks for your work on this Josh...

@joshreisner joshreisner merged commit 80495c9 into main Jan 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants