1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Locking Plugins

Discussion in 'Closed Suggestions' started by James, Aug 10, 2010.

  1. James

    James Well-Known Member

    I think there should be an option to "lock" any plugin you've made. Locking this plugin would make it so that the plugin cannot be modified until the lock is removed off the plugin (you could even make it so that it can't be read).

    I was thinking of this because you could have sensitive plugin data (technically, all plugin data is sensitive) that you don't want someone to get a hold of, perhaps if you've had a breach or something. Locking plugins will be done via config.php (in my own head anyway as I was thinking this), perhaps as a constant like vBulletin.
    PHP:
    define('LOCK_PLUGINS'true);
    You'd basically lock a plugin by ticking a box or clicking an unlocked padlock (which switches to locked) and when the above code is placed in the config file the plugins are not able to be modified.
     
  2. James

    James Well-Known Member

    No opinions on this? :p I thought it was a nice idea myself!
     
  3. Boothby

    Boothby Active Member

    Locking several plugins will not help you if you have concerns as you discribed, because one could fetch all needed data with plugins that aren't locked.
     
  4. James

    James Well-Known Member

    It was just a scenario :) maybe you could prevent creation of new plugins when the lock is in place!
     
  5. Enigma

    Enigma Well-Known Member

    I see what you mean. This would be a way to lock the entire plugin system, which would prevent adding/deleting/modifying/viewing plugins, while still leaving the currently installed plugins active. Is that right?
     
  6. Tigratrus

    Tigratrus Well-Known Member

    That would be a nice added layer of security if I'm reading it right.
     
  7. James

    James Well-Known Member

    Viewing I'm still not sure about, could be good though.

    But yes, that's my idea :)
     
  8. Enigma

    Enigma Well-Known Member

    Yes. My reading of this is it would be for security. If the admin is not going to be making changes to any plugins, then "lock" them via a config file so that in the event of someone stealing the admin's credentials, they would not be able to do anything with plugins in the Admin CP.
     
  9. Mike

    Mike XenForo Developer Staff Member

    You can't run any code via the admin CP (even when installing a new add-on; files must be uploaded), so all I could see this doing is preventing add-ons from being enabled/disabled/uninstalled. Is that really significant?
     
  10. James

    James Well-Known Member

    You can modify plugins though (I'm guessing), creating some form of locking handle would prevent them from being modified?
     
  11. Mike

    Mike XenForo Developer Staff Member

    To what end though?
     
  12. Enigma

    Enigma Well-Known Member

    If plugins are file-based and not evaling code stored in the database, then I think this is moot.
     
  13. James

    James Well-Known Member

    We don't know how the plugin system works so I can't comment really. Is the plugin system allowed to run malicious code? (db querying). Is the plugin system able to modify a pre-prepared query that's not been executed?

    If any of the above is possible, then the plugin system becomes your greatest strength and your greatest weakness and some form of locking handle prevents your innocent plugins turning malicious, or just being generally modified/deleted.. could also prevent creating them.
     
  14. Mike

    Mike XenForo Developer Staff Member

    The plugin system can do whatever it wants, but it requires files to be uploaded. It's not eval() based; it's just callbacks.
     
  15. James

    James Well-Known Member

    So all plugins are file-based?
     

Share This Page