Locking Plugins

James

Well-known member
I think there should be an option to "lock" any plugin you've made. Locking this plugin would make it so that the plugin cannot be modified until the lock is removed off the plugin (you could even make it so that it can't be read).

I was thinking of this because you could have sensitive plugin data (technically, all plugin data is sensitive) that you don't want someone to get a hold of, perhaps if you've had a breach or something. Locking plugins will be done via config.php (in my own head anyway as I was thinking this), perhaps as a constant like vBulletin.
PHP:
define('LOCK_PLUGINS', true);
You'd basically lock a plugin by ticking a box or clicking an unlocked padlock (which switches to locked) and when the above code is placed in the config file the plugins are not able to be modified.
 

Boothby

Well-known member
Locking several plugins will not help you if you have concerns as you discribed, because one could fetch all needed data with plugins that aren't locked.
 

James

Well-known member
It was just a scenario :) maybe you could prevent creation of new plugins when the lock is in place!
 

Enigma

Well-known member
I see what you mean. This would be a way to lock the entire plugin system, which would prevent adding/deleting/modifying/viewing plugins, while still leaving the currently installed plugins active. Is that right?
 

James

Well-known member
I see what you mean. This would be a way to lock the entire plugin system, which would prevent adding/deleting/modifying/viewing plugins, while still leaving the currently installed plugins active. Is that right?
Viewing I'm still not sure about, could be good though.

But yes, that's my idea :)
 

Enigma

Well-known member
That would be a nice added layer of security if I'm reading it right.
Yes. My reading of this is it would be for security. If the admin is not going to be making changes to any plugins, then "lock" them via a config file so that in the event of someone stealing the admin's credentials, they would not be able to do anything with plugins in the Admin CP.
 

Mike

XenForo developer
Staff member
You can't run any code via the admin CP (even when installing a new add-on; files must be uploaded), so all I could see this doing is preventing add-ons from being enabled/disabled/uninstalled. Is that really significant?
 

James

Well-known member
You can modify plugins though (I'm guessing), creating some form of locking handle would prevent them from being modified?
 

Enigma

Well-known member
If plugins are file-based and not evaling code stored in the database, then I think this is moot.
 

James

Well-known member
We don't know how the plugin system works so I can't comment really. Is the plugin system allowed to run malicious code? (db querying). Is the plugin system able to modify a pre-prepared query that's not been executed?

If any of the above is possible, then the plugin system becomes your greatest strength and your greatest weakness and some form of locking handle prevents your innocent plugins turning malicious, or just being generally modified/deleted.. could also prevent creating them.
 

Mike

XenForo developer
Staff member
The plugin system can do whatever it wants, but it requires files to be uploaded. It's not eval() based; it's just callbacks.
 
Top