Discussion: Non-WordPress VIP Support about vip-governance-plugin HOT 6 CLOSED

Apologies on the late response, but assuming that the location of the file is locked down properly it should be okay to do so. With the merge of this PR, anywhere within WP-content dir would work as the location of the file. That's been released as v1.0.3

from vip-governance-plugin.

Hi Greg, thanks for opening this issue and for asking this!

• We aren't planning to host the plugin on the WordPress.org Plugin Directory at this time.
• For servicing non-VIP users, I just put up this PR which should help. This will add a filter that will allow providing a path to where your rules file is, and the plugin will pick that up instead. This would be better than how it is right now, where you'd need to change the rules file in the plugin so that you get a custom set of rules.

In terms of the location for the governance-rules.json file: Do you feel the file needs to be kept private for security reasons, or is the WordPress VIP private folder just the most straightforward place for WordPress VIP users to put their own copy?

It's a bit of both in that it's good to keep this file private, and the most straightforward place to keep it for VIP sites is the private directory. We have some docs here on this that could help explain this directory better.

Hope that clarifies what you asked.

from vip-governance-plugin.

Thanks very much for your response! That PR is perfect to resolve the non-VIP file location question.

In terms of this:

It's a bit of both in that it's good to keep this file private, and the most straightforward place to keep it for VIP sites is the private directory. We have some docs here on this that could help explain this directory better.

Is there anything you can add in terms of your concerns about what might happen were the file public? ("Public" to the extent that if someone knew to load, say, wp-content/themes/[theme]/governance-rules.json, the server would happily send them that file.) In an ideal world, I would probably keep the file in my theme repository, but I'm very open to the notion that that's not a good idea.

from vip-governance-plugin.

The information that is in this file could expose certain parts of your WordPress site that you may want to keep private. A potential example of this kind of information is the roles type used for governance. There could be custom roles that are used rather than the default OOB ones, for security reasons. By keeping it in the private folder for VIP sites, this allows it to always be secure and private. There isn't a choice to be made for if this information has to be kept private or not.

For Non-VIP users/sites, this doesn't have to be the case with the upcoming PR that I linked. They can choose to expose it, if they want. Hope that clarifies it!

from vip-governance-plugin.

Thanks very much for your response! I definitely understand that your use of the WordPress VIP private folder ensures WordPress VIP users never need to think about this at all; I just wanted to make sure I understood the ramifications for non-VIP users, should they decide to use the new filter to expose it.

If we imagine a rule set with no custom roles or custom post types that a site owner would like to keep private, do you think it would be safe to expose that file, or are there other potential security concerns?

from vip-governance-plugin.

Very sorry for the equally late response—thanks very much for this change and for your responses!

from vip-governance-plugin.