Comments (6)
Apologies on the late response, but assuming that the location of the file is locked down properly it should be okay to do so. With the merge of this PR, anywhere within WP-content dir would work as the location of the file. That's been released as v1.0.3
from vip-governance-plugin.
Hi Greg, thanks for opening this issue and for asking this!
- We aren't planning to host the plugin on the WordPress.org Plugin Directory at this time.
- For servicing non-VIP users, I just put up this PR which should help. This will add a filter that will allow providing a path to where your rules file is, and the plugin will pick that up instead. This would be better than how it is right now, where you'd need to change the rules file in the plugin so that you get a custom set of rules.
In terms of the location for the governance-rules.json file: Do you feel the file needs to be kept private for security reasons, or is the WordPress VIP private folder just the most straightforward place for WordPress VIP users to put their own copy?
It's a bit of both in that it's good to keep this file private, and the most straightforward place to keep it for VIP sites is the private directory. We have some docs here on this that could help explain this directory better.
Hope that clarifies what you asked.
from vip-governance-plugin.
Thanks very much for your response! That PR is perfect to resolve the non-VIP file location question.
In terms of this:
It's a bit of both in that it's good to keep this file private, and the most straightforward place to keep it for VIP sites is the private directory. We have some docs here on this that could help explain this directory better.
Is there anything you can add in terms of your concerns about what might happen were the file public? ("Public" to the extent that if someone knew to load, say, wp-content/themes/[theme]/governance-rules.json
, the server would happily send them that file.) In an ideal world, I would probably keep the file in my theme repository, but I'm very open to the notion that that's not a good idea.
from vip-governance-plugin.
The information that is in this file could expose certain parts of your WordPress site that you may want to keep private. A potential example of this kind of information is the roles
type used for governance. There could be custom roles that are used rather than the default OOB ones, for security reasons. By keeping it in the private folder for VIP sites, this allows it to always be secure and private. There isn't a choice to be made for if this information has to be kept private or not.
For Non-VIP users/sites, this doesn't have to be the case with the upcoming PR that I linked. They can choose to expose it, if they want. Hope that clarifies it!
from vip-governance-plugin.
Thanks very much for your response! I definitely understand that your use of the WordPress VIP private folder ensures WordPress VIP users never need to think about this at all; I just wanted to make sure I understood the ramifications for non-VIP users, should they decide to use the new filter to expose it.
If we imagine a rule set with no custom roles or custom post types that a site owner would like to keep private, do you think it would be safe to expose that file, or are there other potential security concerns?
from vip-governance-plugin.
Very sorry for the equally late response—thanks very much for this change and for your responses!
from vip-governance-plugin.
Related Issues (20)
- Explore switching to Typescript
- Expand rules to be post type specific HOT 1
- Problems allowing core/list nested in a block HOT 2
- Check parent-child hierarchy at all depths
- Add starter tests for javascript code
- Add tests for nested-governance-loader.js
- Add e2e condition that verifies colours
- Add tests for block-locking.jsx
- Use a better solution for determining core nested blocks HOT 2
- Automate the release process
- Incorporate useBlockEditingMode() for block locking
- Handle disabling non-theme colours
- Handle multisite support HOT 1
- Create a CLI validate command for the rules file
- Add support for automated styling
- Block recovery errors in WordPress 6.4
- Add filter to enable for programmatic JSON generation.
- Assets get enqueued with invalid URL on non-VIP deployments HOT 2
- Disallowed/locked blocks trigger browser console warning HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vip-governance-plugin.