• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Locking Plugins

James

Well-known member
#1
I think there should be an option to "lock" any plugin you've made. Locking this plugin would make it so that the plugin cannot be modified until the lock is removed off the plugin (you could even make it so that it can't be read).

I was thinking of this because you could have sensitive plugin data (technically, all plugin data is sensitive) that you don't want someone to get a hold of, perhaps if you've had a breach or something. Locking plugins will be done via config.php (in my own head anyway as I was thinking this), perhaps as a constant like vBulletin.
PHP:
define('LOCK_PLUGINS', true);
You'd basically lock a plugin by ticking a box or clicking an unlocked padlock (which switches to locked) and when the above code is placed in the config file the plugins are not able to be modified.
 

Boothby

Active member
#3
Locking several plugins will not help you if you have concerns as you discribed, because one could fetch all needed data with plugins that aren't locked.
 

Enigma

Well-known member
#5
I see what you mean. This would be a way to lock the entire plugin system, which would prevent adding/deleting/modifying/viewing plugins, while still leaving the currently installed plugins active. Is that right?
 

James

Well-known member
#7
I see what you mean. This would be a way to lock the entire plugin system, which would prevent adding/deleting/modifying/viewing plugins, while still leaving the currently installed plugins active. Is that right?
Viewing I'm still not sure about, could be good though.

But yes, that's my idea :)
 

Enigma

Well-known member
#8
That would be a nice added layer of security if I'm reading it right.
Yes. My reading of this is it would be for security. If the admin is not going to be making changes to any plugins, then "lock" them via a config file so that in the event of someone stealing the admin's credentials, they would not be able to do anything with plugins in the Admin CP.
 

Mike

XenForo developer
Staff member
#9
You can't run any code via the admin CP (even when installing a new add-on; files must be uploaded), so all I could see this doing is preventing add-ons from being enabled/disabled/uninstalled. Is that really significant?
 

James

Well-known member
#10
You can modify plugins though (I'm guessing), creating some form of locking handle would prevent them from being modified?
 

James

Well-known member
#13
We don't know how the plugin system works so I can't comment really. Is the plugin system allowed to run malicious code? (db querying). Is the plugin system able to modify a pre-prepared query that's not been executed?

If any of the above is possible, then the plugin system becomes your greatest strength and your greatest weakness and some form of locking handle prevents your innocent plugins turning malicious, or just being generally modified/deleted.. could also prevent creating them.
 

Mike

XenForo developer
Staff member
#14
The plugin system can do whatever it wants, but it requires files to be uploaded. It's not eval() based; it's just callbacks.