[wp-trac] Re: [WordPress Trac] #4275: PHP Exec Widgets repeat in WP
2.2 widget implementation
WordPress Trac
wp-trac at lists.automattic.com
Thu May 17 16:55:17 GMT 2007
#4275: PHP Exec Widgets repeat in WP 2.2 widget implementation
---------------------------------+------------------------------------------
Reporter: technosailor | Owner: anonymous
Type: defect | Status: closed
Priority: high | Milestone: 2.2.1
Component: Administration | Version: 2.2
Severity: normal | Resolution: fixed
Keywords: widgets needs-patch |
---------------------------------+------------------------------------------
Comment (by technosailor):
Replying to [comment:15 Otto42]:
>
> 2. It's potentially a security risk for multi-user blogs. Maybe. Some
roles/capabilities need to be examined to be sure. I didn't bother adding
any extra security layers to it, and don't know if they are needed.
Allow me to be the devil's advocate and make a semantic argument. If a
user is an administrator, they can modify widgets. If they are not they
can't. If they are an administrator then they should have access to all
administrative functions. If they shouldn't have access to all
administrative functions, then they should be an Editor. So it comes down
to a management decision for the blog owner and thus outside of the
auspices of the development of WordPress.
>
> 3. Instead of making a separate widget for it, I suggest adding a
checkbox to the Text widget config screen that will turn on/off the
execution of PHP code found in the text box. No need for two widgets where
one will do.
I would agree with this, and I would also agree with foolswisdom's
nomenclature argument.
--
Ticket URL: <http://trac.wordpress.org/ticket/4275#comment:17>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list