Title: LPH badly coded for multiple users Last modified: March 6, 2020 --- # LPH badly coded for multiple users * [Puck](https://wordpress.org/support/users/puck/) * (@puck) * [6 years, 3 months ago](https://wordpress.org/support/topic/lph-badly-coded-for-multiple-users/) * First off, if you’ve only got one user who needs to upload MP3s, or they’re all Administrators who you trust with all your Libsyn login info this shouldn’t affect you. * However, if you’ve got non-Administrators who contribute to your site that need to upload an MP3 then you’ll quickly see massive errors in this plugin’s coding. * First: Each user must input the Client ID and Client Secret in the WordPress back-end. Every other plugin I’ve used that uses Key/Secret settings has the Administrator set these up for everyone, then they set who has access. What Libsyn has done here is incredibly insecure. * But wait, there’s another problem: The permissions checks in LPH for showing the Admin Menu so you can get at the LPH settings and put those in check for ‘ administrator’ status, so a non-administrator simply cannot enter this REQUIRED information. * So what does a clever webmaster do? They edit the plugin and change the permissions check from ‘administrator’ to ‘upload_files’ (as it should be) and then hand over the ID/Secret to the contributor. * BUT WAIT THERE’S MORE * So the Contributor enters in the ID/Secret and then LPH redirects them to log into Libsyn for no reason whatsoever. * What’s the point of these API keys if you need to log in to Libsyn itself to get this to work? * Do we actually need to give a Contributor full login access to Libsyn to just upload an MP3 via WordPress? * What is going on here? This isn’t just annoying, it’s also incredibly insecure to demand all this broad sharing of credentials. Viewing 1 replies (of 1 total) * [Benbodhi](https://wordpress.org/support/users/benbodhi/) * (@benbodhi) * [5 years, 10 months ago](https://wordpress.org/support/topic/lph-badly-coded-for-multiple-users/#post-13188351) * To add to this, I only need to embed an existing feed of episodes uploaded directly to libsyn. So the website using the plugin just needs to display the feed like a simple embed. But as you noticed, key pair plus login screen, permissions to delete content from our site and more – just to embed a feed that shouldn’t have access to anything on our site really. * Edit: I’m removing the plugin and using a plain iframe to embed since we don’t need to publish to or from WP. - This reply was modified 5 years, 10 months ago by [Benbodhi](https://wordpress.org/support/users/benbodhi/). Viewing 1 replies (of 1 total) The topic ‘LPH badly coded for multiple users’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/libsyn-podcasting_bababa.svg) * [Libsyn Publisher Hub](https://wordpress.org/plugins/libsyn-podcasting/) * [Frequently Asked Questions](https://wordpress.org/plugins/libsyn-podcasting/#faq) * [Support Threads](https://wordpress.org/support/plugin/libsyn-podcasting/) * [Active Topics](https://wordpress.org/support/plugin/libsyn-podcasting/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/libsyn-podcasting/unresolved/) * [Reviews](https://wordpress.org/support/plugin/libsyn-podcasting/reviews/) ## Tags * [api](https://wordpress.org/support/topic-tag/api/) * [libsyn](https://wordpress.org/support/topic-tag/libsyn/) * [multi-user](https://wordpress.org/support/topic-tag/multi-user/) * 1 reply * 2 participants * Last reply from: [Benbodhi](https://wordpress.org/support/users/benbodhi/) * Last activity: [5 years, 10 months ago](https://wordpress.org/support/topic/lph-badly-coded-for-multiple-users/#post-13188351) * Status: not resolved