Escher allows any user to upload plugins

Just a heads-up… I realized today that the Escher plugin can be used by ANY logged in user (even an otherwise-restricted Researcher) to upload plugins, since there’s an Escher button in the sidebar.

Of course, only Super Users can access the plugins interface to actually install or configure plugins.

While it probably isn’t really a functional issue, it could lead to a lot of messiness if a user without site editing permissions decided to experiment and upload random plugins! Deactivating Escher removes the button from the sidebar and solves that problem, but of course it must be reactivated before the next use.

NOTE: Guest User logins only allow front end access, so this is not an issue in that situation.

Just a note that Escher is not a plugin listed in our plugin directory. Nonetheless, registering a plugin does not mean that the Omeka team checks that plugin for functionality or security. The Omeka Team is only responsible for the security and stability of the plugins that we design and develop.

Yes, of course! I just ran across this situation and wanted to put the information out there in case it’s useful to other users.

I appreciate it. Just wanted to make it clear to all users :slight_smile:

Hi.

You could probably fix that issue this way:

  1. find and open for editing the EscherPlugin.php file in your installation;
  2. find the function hookDefineAcl and replace its code with the following:
$acl = $args['acl'];

$indexResource = new Zend_Acl_Resource('Escher_Index');
$acl->add($indexResource);

$acl->allow(array('super', 'admin'), array('Escher_Index'));
  1. find the function filterAdminNavigationMain and replace its code with the following:
$navArray['Escher'] = array(
    'label' => __("Escher"),
    'uri' => url('escher'),
    'resource' => 'Escher_Index',
    'privilege' => 'index'
 );
 return $navArray;

Hope this helps.

That’s a good point, Sharon. Maybe you might consider adding some kind of disclaimer to the Plugins page, reminding that to users.

We can definitely make that update.