Disable File Extension Check

 

 

Good day.  I recently had the opportunity to play with the latest version of H5P in WordPress and appreciate all the improvements that have been done.  The current version is much improved over the previous version I had the opportunity to play with.

 

As a system admin for a Multi-Network / Multi-Site system there is one function that serioulsy concerns me that i have to see if there is a work around or whether this can be addressed.

Since this a shared code base with hundreds of users, I can network activate the plugin so everyone has it, but when they access it, site admins still have the capability to bypass files extension checks while uploading content.   In a shared environment, i find this a REAL security issue.

 

Is there any way we can update the plugin so that when it is installed and activated in a Multi-Network or Multi-Site environment, that bypass is only available to super admins vice all site admins??

 

I appreciate any input.

 

Thanks

Dave

 

0
0
Supporter votes Members of the Supporter Network can vote for feature requests. When the supporter network has generated sufficient funding for the top voted feature request it will normally be implemented and released. More about the H5P Supporter Network
icc's picture

I understand your concern, this is not a very good default. I guess some people probably would want it but not by default, and since there are plugins for reassigning capabilities to other roles, there shouldn't be any issues for those who don't want the default.

The capability for disabling this check is called disable_h5p_security and is automatically assigned to the roles that have the install_plugins capability when the plugin is installed. I guess the best way to solve this is to detect when is_multisite() changes and then reassign capabilities such as this to a role that have both the manage_network_plugins and install_plugins capabilities.

A quick fix if you don't want to reassign roles or wait for me to fix and test this is to update the if statement at line 35 in admin/views/new-content.php to include checks for is_multisite() and is_super_admin().

Thank you for pointing out the issue! Through feedback, the module becomes better for everyone!

 

Thanks for the quick response.Correcting that item would make this much more usable/safer in our environment.

You might want to check your logic on the roles that have rights to the disable_h5p_security.  In a Multi-Site installation, super admins have the install-plugin capability, but site admins do not.   In multi-site site admins can activate plugins for their specific sites, but typically only the super-admins have the capability to install plugins.  you can refer to https://codex.wordpress.org/Roles_and_Capabilities to confirm.   When it shows up for site admins makes me believe the installation is still looking like a single site installation type plugin.

Thank you very much for your work and help.

 

Regards

 

icc's picture

A fix has been added for the issue in d5032c1 and will be part of the next version of the plugin.

Again, thank you for your help!