Security problem: Subscribers can change access to media files

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter arniarni

    (@arniarni)

    Hi everybody!
    In Library (Change mediafile page) meta-box “Access” with checkboxes and with list of groups is present and users can change access.
    In post edit page I removed this meta-box by using this code:
    remove_meta_box( 'uma_post_access', 'post', 'side' );
    but can not remove it from library!
    How could I solve this problem?

    Are you sure this really is a security problem?

    The meta-box is always visible (this is a feature). But the Subscriber, with the role ‘subscriber’ can only modify access to the library item (or any other post, page, category) for groups he is a member of (i.e. the user-group this role is affiliated with).
    So if your subscriber role is affiliated with all groups, then the subscriber has the liberty to check or uncheck the boxes for all groups. If the user has a role, and that role is affiliated with a group, the user is in that group. When a user is in a group, the user can add or remove groups from library items, posts or pages (custom post-types, custom taxonomies etc.). The user needs to have access to it (with write permission through the group, or by being the owner) for doing this!

    Could you verify, if the groups you have defined, are affiliated with the role ‘subscriber’. If this is the case, you might want to remove that affiliation.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Security problem: Subscribers can change access to media files’ is closed to new replies.