Users have access to media, other data

Hi:

What data is available that is not available to the public? If you disable Awesome Support, is the URLs you’re concerned about still available?

Thanks.

Hi,
thank you for the quick response:
1. any user that enters /wp-admin sees all media: I think this must not be available. Media can contain files that are not published on the website.
2. they see data from other plugins, such as posts and can re-order them, entries in a knowledge base, and some other elements.
They can even update data.
You can see a screenshot here: https://www.dropbox.com/s/5juun9x4g0iz3jw/Bildschirmfoto%202017-04-06%20um%2020.31.11.png?dl=0
It could be the data they see is from other plugins(?) – re-order and knowledge base. Maybe I just don’t understand the WordPress security model well enough.
Best regards
Jens

Hi:

I don’t think that has anything to do with Awesome Support. Can you disable awesome support and see what happens to access to those items?

Thanks.

I think you are right. It seems the other plugins have a security issue, the data can be viewed when I disable the awesome support plugin.

Great, so I know now where to look, thanks a lot!

One little issue:
when users create tickets, they see a list f supported file types for upload,
I don’t think the list is supposed to look like this:
https://www.dropbox.com/s/o80xkamru23klsr/Bildschirmfoto%202017-04-06%20um%2020.39.19.png?dl=0
I use a Mac and have tested with Chrome and Safari, both looks the same.
Can I get rid of the list?

Jens

No, its not supposed to look like that. I suspect a theme or plugin is throwing some CSS or javascript on the page that is conflicting.

If you’re new to wordpress one of the biggest issue you’ll find is these kinds of conflicts. You’ll have to choose your mix of plugins carefully and you theme even more carefully. The smaller the number of plugins you choose the better off you will be since the potential conflicts are then minimized.

I hope this helps.

Thank you for the explanation.
OK, it is not a plugin (I deactivated all and checked), and I cannot (or don’t want to) change my theme. I am using Support Desk (https://themeforest.net/item/support-desk-a-responsive-helpdesk-theme/4321280). Any way I can suppress the list, or do you say it is caused by the theme?

You can probably suppress the list with some css. It looks like we use an id there named wpas_files_wrapper and a class following that to list out the file types called wpas-help-block. So something along the lines of

#wpas_files_wrapper .wpas-help-block {
display:none;
}

might work. I suspect you’ll have to play with the css around that area to hide it – if your theme is interfering with it already it might not be the most straight forward thing to do to hide it.

I will work with that and test it. Seems to work but I need to have a closer look.

Thanks a lot for your help, I really appreciate it!
Great support!!!

All the best
Jens

Thanks and good luck with your project!