Plugin Author
axew3
(@axewww)
Hello! In short, the answer is NO.
I could be wrong, but I strongly suspect that this plugin grants wordpress users access to plugins it shouldnt.
This scenario is impossible, this integration plugin manage login out, so respective cookies, not user’s permissions, which further more, are completely leaved as separated into two cms, except when:
on adding users into WP, because they have been registered in phpBB, it add users as Subscribers in WP if they are normal users in phpBB, as Administrator if belong to Administrators group in phpBB, and as Editor if moderator in phpBB. No way to change this, if not manually (or via another plugin bug i suspect instead).
This plugin home at axew3.com receive several kind of attacks +- every day: i’m sure if something about this was true, axew3.com would be hacked.
But it has never happened until today.
Ok, could you think of something else that would mess around with the user roles and permissions? The only thing that is different from my two sites is the phpbb plugin.
I tried to solve the problem all day but cant do it. I even went into the database and in wp_options I deleted all data in wp_user_roles and replaced it with the data from my working site. At first it seemed to work but after a while it was back to the same, so it’s resetting itself.
It’s crazy, normal users (subscribers) can just register and edit data in some of my plugins!
Plugin Author
axew3
(@axewww)
the behavior you report seem very strange. About this plugin i’m quite sure that can’t conflict with any other about users roles in WP, and sure about WP himself.
it is a stupid question maybe, but what kind of value you’ve set into:
Wp admin -> Settings -> General -> New User Default Role
???
New user default role is Subscriber. On 2 of my sites where I once had your plugin installed I now have the same problem with subscribers having access to a certain plugin. I can’t say for sure its because of your plugin but its what they have in common. My other wordpress site is fine.
Again, when I replace the data in wp_user_roles in the database with the data from my working site it all looks good…until I refresh, then the user gets access again as if it resets itself.
Plugin Author
axew3
(@axewww)
think that the fact subscribers can access some plugin configurations, in first should maybe searched in some bug inside the plugin that display (and should not). Plugins works each as standalone about how they display on menu, available or not based on his code. If a subscriber can access to a plugin that should not, and you see this user is really a subscriber, you should first check well this plugin.
This integration plugin, do not add nothing that isn’t added by native WP code when add a phpBB user into WP for example, and as said, not change, in any situation, user’s roles, because the role of users are completely leaved as separated and never updated/changed once user added/registered.
Ok I see. I just don’t know how to solve this problem at all. I just checked on another site and it was sort of the same there. As a regular user I had access to Yoast plugin and a couple of other plugins, even if I couldn’t make any changes. Just doesnt look professional.
Maybe I just have to restrict access to the admin panel all together.
Plugin Author
axew3
(@axewww)
have you inform with a post into Yoast plugin’s forum?
should be not so complex to resolve, and of course it look not professional, but maybe (maybe not) it also expose your site to some kind of security bug/attack.
I have solved this temporary by deactivating access for users to dashboard and toolbar. Instead I installed a profile plugin. Seems to work better that way.
Thank you for your patience and a great plugin.
