More appropriate capability check

[shawfactor]

I would suggest a more capability check for this plugin would be install_plugins rather than manage_options. What do you think?

I suggest this as when it is run on a multisite, ordinary site admins have manage_options but cannot change the plugin anyway. In fact this could be a minor security vector by displaying the code that is being run on the site inappropriately

[swissspidy]

The capability checked for by the plugin is activate_plugins, see https://github.com/WordPress/plugin-check/blob/6b28da3c600c7658388272fef5085f1e87827a82/includes/Admin/Admin_Page.php#L67 and https://github.com/WordPress/plugin-check/blob/6b28da3c600c7658388272fef5085f1e87827a82/includes/Admin/Admin_Page.php#L186-L192

[mukeshpanchal27]

@swissspidy, the ticket is open against the legacy plugin. You can find it here: https://github.com/WordPress/plugin-check/blob/legacy-plugin/admin/admin.php#L17-L19.

[swissspidy]

Well in that case I suppose we can close the issue, given that it doesn't exist in the new version.

[shawfactor]

The plugin in the .org repository uses manage_options and I was told to come here to raise a ticket to fix that…

[shawfactor]

In any case activate_plugins is the wrong capability to check against. Logically it should be a capability only super admins have on multisite like install_plugins. Otherwise there is a minor security risk

[swissspidy]

I don't see an immediate need to change the capability at the moment.

It's a development plugin that's not intended to run on a production site.

For Multisite support we have #64, so any related changes can be made in that ticket.

Closing as a duplicate.