Multisite – Show ‘System Report’ only to super admins

  • Resolved Lena Stergatou

    (@lenasterg)


    1 year, 8 months ago

    Hi. Thanks for updating this great plugin.
    We use it in a multisite installation. It works great.

    The only thing that we think posses a security issue, on a multisite installation is that on the Settings page /wp-admin/admin.php?page=ics-calendar the ‘System Report’ section is available also to the sub-site admins and it contains information about the PHP etc from the multisite installation.
    A solution for showing this info only to superadmins for multisite installations and to admins for normal WordPress installations is at the /ics-calendar/templates/admin/utilities.php file to add the if statement on line 95.
    The only thing that we think posses a security issue, on a multisite installation is that on the Settings page /wp-admin/admin.php?page=ics-calendar the ‘System Report’ section is available also to the sub-site admins and it contains information about the PHP etc from the multisite installation.
    A solution for showing this info only to superadmins for multisite installations and to admins for normal WordPress installations is at the /ics-calendar/templates/admin/utilities.php file to add the if statement on line 95.

    So the code from line 95 would be.

    <?php if (is_super_admin()) {?>
<hr />
	
<div id="system-report">

	<h3><?php _e('System Report', 'r34ics'); ?></h3>

	<p><mark class="info"><?php _e('Please copy the following text and include it in your message when emailing support.', 'r34ics'); ?><br />
	<?php printf(__('Also please include the %1$s shortcode exactly as you have it entered on the affected page.', 'r34ics'), 'ICS Calendar'); ?></mark></p>
	
	<textarea class="diagnostics-window" readonly="readonly" style="cursor: copy;" onclick="this.select(); document.execCommand('copy');"><?php r34ics_system_report(); ?></textarea>

</div>
	<?php }


    Thanks in advance.

    Lena

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author room34

    (@room34)

    This is a good idea, however the purpose of the System Report is for helping us to diagnose problems on support requests, so the System Report needs to be available to anyone who may be submitting a support request. The security issue you cite is probably relevant to non-multisite installations as well, but I can’t unilaterally limit access to it to admins/super admins, because I do need to be able to get the info from whoever may be submitting a support request.

    A couple of possible considerations:

    1. Add an option, accessible only to admins (super admins on multisite), letting them decide which roles can see the System Report.
    2. Modify the system report to exclude potentially sensitive information, unless the user is admin/super admin. (Or, possibly re-evaluate whether I need that data to provide support.)

    The idea of the System Report was patterned after some of the major plugins like WooCommerce. I’ll evaluate how WooCommerce handles access to its System Report and see what adjustments might be prudent based on that model.

    Plugin Author room34

    (@room34)

    Update: OK, I see that that entire area of WooCommerce is only accessible to Administrator-level users. I’ll work on adding tighter restrictions on access in the next update.

    • This reply was modified 1 year, 8 months ago by room34.
    Plugin Author room34

    (@room34)

    As of version 10.10.0 only site admins (super admins on multisite) can access the System Report.

    Thread Starter Lena Stergatou

    (@lenasterg)

    Thank you, so much, for implementing this.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Multisite – Show ‘System Report’ only to super admins’ is closed to new replies.