More appropriate capability check

[shawfactor]

I would suggest a more capability check for this plugin would be install_plugins rather than manage_options. What do you think?

I suggest this as when it is run on a multisite, ordinary site admins have manage_options but cannot change the plugin anyway. In fact this could be a minor security vector by displaying the code that is being run on the site inappropriately

[swissspidy]

The capability checked for by the plugin is activate_plugins, see

plugin-check/includes/Admin/Admin_Page.php

Line 67 in 6b28da3

'activate_plugins',

and

plugin-check/includes/Admin/Admin_Page.php

Lines 186 to 192 in 6b28da3

	if ( current_user_can( 'activate_plugins' ) ) {
	$actions[] = sprintf(
	'<a href="%1$s">%2$s</a>',
	esc_url( admin_url( "tools.php?page=plugin-check&plugin={$plugin_file}" ) ),
	esc_html__( 'Check this plugin', 'plugin-check' )
	);
	}

[mukeshpanchal27]

@swissspidy, the ticket is open against the legacy plugin. You can find it here: https://github.com/WordPress/plugin-check/blob/legacy-plugin/admin/admin.php#L17-L19.

[swissspidy]

Well in that case I suppose we can close the issue, given that it doesn't exist in the new version.

[shawfactor]

The plugin in the .org repository uses manage_options and I was told to come here to raise a ticket to fix that…

[shawfactor]

In any case activate_plugins is the wrong capability to check against. Logically it should be a capability only super admins have on multisite like install_plugins. Otherwise there is a minor security risk

[swissspidy]

I don't see an immediate need to change the capability at the moment.

It's a development plugin that's not intended to run on a production site.

For Multisite support we have #64, so any related changes can be made in that ticket.

Closing as a duplicate.