HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
FilterDiscussion Plugin - Answers about security
rbrahmson
✭✭✭
One of the plugin users raised questions about the plugin security and I answered them in separate comments. I wanted to put these aspects all together in one place.
- First, the plugin conforms to Vanilla permissions model - whatever parameters are used to display the discussions, they augment the Vanilla built-in permission model. For example, if a user does not have access to a category, no matter which filter is used the users won't see discussions in the unauthorized category.
- To use the plugin the user must have a special permission ('Plugins.FilterDiscussion.View') set in Roles. Since an admin is authorized for everything an admin may not notice that regular users cannot get results unless they are also granted that permission.
- The plugin dashboard defined which columns can be used for filtering so if you have additional columns (for example those defined by the Discussion Extender plugin) they can be disallowed to be used for filtering.
- Filter specifications can be saved as named filters hiding the parameters from end users.
Hope that answers some questions.
1