Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin Installation: Better guard the installation flow #58297

Closed
cpapazoglou opened this issue Nov 19, 2021 · 4 comments · Fixed by #58493 or #59360
Closed

Plugin Installation: Better guard the installation flow #58297

cpapazoglou opened this issue Nov 19, 2021 · 4 comments · Fixed by #58493 or #59360
Assignees
@gcsecsey
Labels
Marketplace [Status] In Progress
Milestone
Marketplace V0.5

Comments

@cpapazoglou
Copy link
Contributor

cpapazoglou commented Nov 19, 2021
edited
Loading

During our demo it was suggested that we should better guard our plugin installation direct url so that we avoid malicious users getting WordPress.com users to visit it and thus install a malicious wporg plugin in their site.
@cpapazoglou cpapazoglou added this to the Marketplace V0.5 milestone Nov 19, 2021
@cpapazoglou cpapazoglou changed the title Better guard the installation flow by checking referrer Plugin Installation: Better guard the installation flow Nov 19, 2021
@cpapazoglou
Copy link
Contributor Author

Suggestion, saving in the state that User has indeed initiated the plugin installation.

@gcsecsey gcsecsey self-assigned this Nov 23, 2021
@gcsecsey gcsecsey mentioned this issue Nov 25, 2021
Merged
2 tasks
@WBerredo
Copy link
Collaborator

Considering we'll be able to identify that a plugin installation was not initiated by the customer(#58493), I think we can give the customer the chance to proceed with the installation, giving the idea of successful operation instead of an error.

This way the installation link could be used directly but in a safe manner.

Ex:
Screen Shot 2021-11-26 at 10 38 57

@cpapazoglou
Copy link
Contributor Author

Considering we'll be able to identify that a plugin installation was not initiated by the customer(#58493), I think we can give the customer the chance to proceed with the installation, giving the idea of successful operation instead of an error.

This way the installation link could be used directly but in a safe manner.

Ex: Screen Shot 2021-11-26 at 10 38 57

I like this idea @WBerredo, cc @gcsecsey

@gcsecsey
Copy link
Contributor

gcsecsey commented Nov 26, 2021
edited
Loading

I think this is a brilliant idea @WBerredo! 🎉

To make the implementation more straightforward, I think we should add this as a follow-up PR, after we've handled plugin icons in #58281 (comment)

@WBerredo WBerredo mentioned this issue Dec 17, 2021
Merged
@WBerredo WBerredo linked a pull request Dec 17, 2021 that will close this issue
Update the plugin install direct access screen to allow the user to continue the plugin installation. #59360
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gcsecsey gcsecsey

Labels
Marketplace [Status] In Progress
Projects
None yet
Milestone
Marketplace V0.5
3 participants
@WBerredo @gcsecsey @cpapazoglou