Title: Some (security) issues
Last modified: August 21, 2016

---

# Some (security) issues

 *  [edik](https://wordpress.org/support/users/plocha/)
 * (@plocha)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/some-security-issues/)
 * Hi,
    I don’t understand the design of the plugin.
 * If I own the ‘Administer Groups’ permission, I’m able to get all capabilities
   I want. Thus I can break out. So why did you implemented the permission ‘Administer
   Groups plugin options’?
 * It would be nice to have a plugin which provides a post access management without
   such security issues. In my opinion you should remove the whole capability management
   code because other plugins like ‘User Role Editor’ do it better anyway. That’s
   the [KISS principle](http://en.wikipedia.org/wiki/KISS_principle). 😀
 * Another problem I found: why do you differentiate between normal cap’s and ‘read
   access enforce’ cap’s? And why can I set the latter at the meta box and the option
   screen but not at the capability management screens?
 * [https://wordpress.org/plugins/groups/](https://wordpress.org/plugins/groups/)

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Plugin Author [itthinx](https://wordpress.org/support/users/itthinx/)
 * (@itthinx)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/some-security-issues/#post-4785229)
 * Thanks for the suggestions, but as you said yourself, you haven’t yet understood
   it. I would recommend you have a look at the documentation [http://www.itthinx.com/documentation/groups/](http://www.itthinx.com/documentation/groups/)–
   that will clarify for you that neither is there a security issue related to what
   you have mentioned, nor are the features around capabilities superfluous.
 *  Thread Starter [edik](https://wordpress.org/support/users/plocha/)
 * (@plocha)
 * [12 years ago](https://wordpress.org/support/topic/some-security-issues/#post-4785262)
 * The permission ‘Administer Groups plugin options’ **is** superfluous because 
   you can use it to gain the permission ‘Administer Groups’. Vice versa owning 
   the ‘Administer Groups’ permission you can get the ‘groups_admin_options’ capability
   aka ‘Administer Groups plugin options’. There is no security-related reason to
   distinguish between these permissions. You should merge them.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Some (security) issues’ is closed to new replies.

 * ![](https://ps.w.org/groups/assets/icon-256x256.png?rev=983146)
 * [Groups](https://wordpress.org/plugins/groups/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/groups/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/groups/)
 * [Active Topics](https://wordpress.org/support/plugin/groups/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/groups/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/groups/reviews/)

## Tags

 * [cap](https://wordpress.org/support/topic-tag/cap/)
 * [capability](https://wordpress.org/support/topic-tag/capability/)
 * [Caps](https://wordpress.org/support/topic-tag/caps/)
 * [group](https://wordpress.org/support/topic-tag/group/)
 * [grouping](https://wordpress.org/support/topic-tag/grouping/)

 * 2 replies
 * 2 participants
 * Last reply from: [edik](https://wordpress.org/support/users/plocha/)
 * Last activity: [12 years ago](https://wordpress.org/support/topic/some-security-issues/#post-4785262)
 * Status: not resolved