Escher allows any user to upload plugins

sbarnessckls · November 30, 2021, 9:36pm

Just a heads-up… I realized today that the Escher plugin can be used by ANY logged in user (even an otherwise-restricted Researcher) to upload plugins, since there’s an Escher button in the sidebar.

Of course, only Super Users can access the plugins interface to actually install or configure plugins.

While it probably isn’t really a functional issue, it could lead to a lot of messiness if a user without site editing permissions decided to experiment and upload random plugins! Deactivating Escher removes the button from the sidebar and solves that problem, but of course it must be reactivated before the next use.

NOTE: Guest User logins only allow front end access, so this is not an issue in that situation.

SharonLeon · November 30, 2021, 9:49pm

Just a note that Escher is not a plugin listed in our plugin directory. Nonetheless, registering a plugin does not mean that the Omeka team checks that plugin for functionality or security. The Omeka Team is only responsible for the security and stability of the plugins that we design and develop.

sbarnessckls · November 30, 2021, 10:03pm

Yes, of course! I just ran across this situation and wanted to put the information out there in case it’s useful to other users.

SharonLeon · November 30, 2021, 10:32pm

I appreciate it. Just wanted to make it clear to all users

DanieleB · December 2, 2021, 2:50pm

Hi.

You could probably fix that issue this way:

find and open for editing the EscherPlugin.php file in your installation;
find the function hookDefineAcl and replace its code with the following:

$acl = $args['acl'];

$indexResource = new Zend_Acl_Resource('Escher_Index');
$acl->add($indexResource);

$acl->allow(array('super', 'admin'), array('Escher_Index'));

find the function filterAdminNavigationMain and replace its code with the following:

$navArray['Escher'] = array(
    'label' => __("Escher"),
    'uri' => url('escher'),
    'resource' => 'Escher_Index',
    'privilege' => 'index'
 );
 return $navArray;

Hope this helps.

DanieleB · December 2, 2021, 2:53pm

That’s a good point, Sharon. Maybe you might consider adding some kind of disclaimer to the Plugins page, reminding that to users.

SharonLeon · December 2, 2021, 9:27pm

We can definitely make that update.

system · August 7, 2022, 9:37pm

This topic was automatically closed after 250 days. New replies are no longer allowed.