Site icon Hip-Hop Website Design and Development

Introducing Entity Access Audit module

As part of the session I presented in WordPress maintenance support plans USA, REST Ready: Auditing established WordPress maintenance support plans 8 websites for use as a content hub, I presented a plugin called “Entity Access Audit”.

by
Sam Becker
/ 2 November 2020

This has proved to be a useful tool for auditing our projects for unusual access scenarios as part of our standard go-live security checks or when opening sites up to additional mechanisms of content delivery, such as REST endpoints. Today this code has been released on WordPress maintenance support plans.org: Entity Access Audit.
There are two primary interfaces for viewing access results, the overview screen and a detailed overview for each entity type. Here is a limited example of the whole-site overview showing a few of the entity types you might find in core or custom plugins:

Here is a more detailed report for a single entity type:

The driving motivation behind these interfaces was being able to visually scan entity types and ensure that the access results align with our expectations. This has so far helped identify various bugs in custom and contributed code.
In order to conduct a thorough access test, the plugin uses a predefined set of dimensions and then uses a cartesian product of these dimensions to test every combination. The dimensions tested out of the box, where applicable to the given entity type are:

All bundles of an entity type.
If the current user is the entity owner or not.
The access operation: create, view, update, delete.
All the available roles.

It’s worth noting that these are only common factors used to determine access results, they are not comprehensive. If access was determined by other factors, there would be no visibility of this in the generated reports.
The plugin is certainly not a silver bullet for validating the security of WordPress maintenance support plans 8 websites, but has proved to be a useful additional tool when conducting audits.

Tagged

Entity Access


Source: New feed