Locking Plugins

James

Well-known member
I think there should be an option to "lock" any plugin you've made. Locking this plugin would make it so that the plugin cannot be modified until the lock is removed off the plugin (you could even make it so that it can't be read).

I was thinking of this because you could have sensitive plugin data (technically, all plugin data is sensitive) that you don't want someone to get a hold of, perhaps if you've had a breach or something. Locking plugins will be done via config.php (in my own head anyway as I was thinking this), perhaps as a constant like vBulletin.
PHP:
define('LOCK_PLUGINS', true);
You'd basically lock a plugin by ticking a box or clicking an unlocked padlock (which switches to locked) and when the above code is placed in the config file the plugins are not able to be modified.
 
Upvote 0
Locking several plugins will not help you if you have concerns as you discribed, because one could fetch all needed data with plugins that aren't locked.
 
I see what you mean. This would be a way to lock the entire plugin system, which would prevent adding/deleting/modifying/viewing plugins, while still leaving the currently installed plugins active. Is that right?
 
I see what you mean. This would be a way to lock the entire plugin system, which would prevent adding/deleting/modifying/viewing plugins, while still leaving the currently installed plugins active. Is that right?

Viewing I'm still not sure about, could be good though.

But yes, that's my idea :)
 
That would be a nice added layer of security if I'm reading it right.

Yes. My reading of this is it would be for security. If the admin is not going to be making changes to any plugins, then "lock" them via a config file so that in the event of someone stealing the admin's credentials, they would not be able to do anything with plugins in the Admin CP.
 
You can't run any code via the admin CP (even when installing a new add-on; files must be uploaded), so all I could see this doing is preventing add-ons from being enabled/disabled/uninstalled. Is that really significant?
 
You can modify plugins though (I'm guessing), creating some form of locking handle would prevent them from being modified?
 
We don't know how the plugin system works so I can't comment really. Is the plugin system allowed to run malicious code? (db querying). Is the plugin system able to modify a pre-prepared query that's not been executed?

If any of the above is possible, then the plugin system becomes your greatest strength and your greatest weakness and some form of locking handle prevents your innocent plugins turning malicious, or just being generally modified/deleted.. could also prevent creating them.
 
The plugin system can do whatever it wants, but it requires files to be uploaded. It's not eval() based; it's just callbacks.
 
Top Bottom