Version 2.7.13 – Security fix caused some troubles.

Version 2.7.13 – Security fix caused some troubles.

The latest 2.7.13 release caused some troubles.

Let us explain what happened.

Administrators can give or not give the rights to autopost to specific user groups. That feature had a security hole that was allowing users who has no rights to autopost still do that. That was fixed in the latest version. We won’t unfix it or roll it back. That was a real security problem and it was causing real troubles.

If you are getting “User ID XXX can’t autopost” errors please go to the settings tab and give the user group where user with ID XXX rights to autopost.

However this fix backfired to users who were using that security hole as feature.

Examples:

– WordPress used as classifieds website. Visitors submit posts from frontend.

– Administrator doesn’t want contributors or authors to change autoposting settings, but still want their posts to be autoposted to all configured networks.

– All posts are imported by some automation plugin. That plugin is not brilliantly written and it inserts all posts using hard-coded user id #1. Website doesn’t even have the user with ID 1, so the result is “User ID 1 can’t autopost” error.

We will re-think our security model and might add another privilege, so some user groups will autopost without seeing or being able to make any changes to the settings. We also might add the ability to skip this whole security model and use plugin without any restrictions (as it was before the fix).

UPDATE: Version 2.7.14 has an ability to skip the check for user privileges as well as an ability to allow users to autopost without seeing to changing any options.

sc-snap-0003-editpost-ImageSelect

  • Comments
  • Trackbacks
  • About post
80
  1. May 4, 2013 at 10:05 pmRon Devito  Reply

    I have an open ticket about this very issue. I am the only one who can autopost now. Even posts under the names of *other admins* cannot auto-post. That defeats the purpose of auto-posting. This is costing me a lot of extra time spent on posts. This really needs to be resolved. I need to know when I post that this script is going to work as advertised and that means ALL admin accounts, the editors, and the authors will have their stuff auto-posted like they did before this update. I should not have to come in afterwards and manually post it. I should not have to post under my name, then change the name back to the original author after the autoposting is complete. Autoposting is not a "nice-to-have"; this is a core-component of your product. Your update broke it. It needs to be fixed or just roll it back. Please. It was working before. It did not need to be fixed.

    • May 5, 2013 at 9:27 amRon Devito  Reply

      I must stand corrected. I checked the settings versus your entries here and only admins were able to see the NextScript box on posts. This means likely in fact only I had permission to autopost. I opened it to editors and authors and I'm going to test later, so this may be a case of a problem with the operator, not the software. I'll post this to the ticket I have open. You may delete the prior comment and this one.

  2. May 6, 2013 at 4:44 pmAyman  Reply

    I think it's better if there would be tow different options. One which will be managing which user roles can auto post and the other one to manage if this user role can see the snap box.
    Like that you can give a specific role the ability to auto post without the need to give them the snap box on the post edit page so they can't mess with things like re-posting over and over again the same post.

    Anyway thanks for this great plugin

  3. May 6, 2013 at 10:07 pmRon Devito  Reply

    Going to settings and making sure that Editor and Author can see the NextScript box in posts also gives them permission to post and this solved the problem for me. NextScript is now posting for everyone on my site like it used to and like it's supposed to.

    These are the settings in text form:

    Who can see auto-posting options on the "New Post" pages?

    Administrator - Somebody who has access to all the administration features
    Editor - Somebody who can publish and manage posts and pages as well as manage other users' posts, etc.
    Author - Somebody who can publish and manage their own posts

    All three need to be checked off - as I want it to work on my site that is. I only had Administrator checked and I'm the only one on my site who is an admin and also posts. For a normal WordPress site you more than likely don't want contributors and subscribers auto-posting.

  4. May 17, 2013 at 7:10 pmQuondos  Reply

    Thanks to redirecting me here for my support ticket. I changed the settings to allow autopost my authors and everything is fine now !
    Big thanks. Your support really rocks. I am a paid user but very satisfied since I am using your plugin when I was still free. A good decision I have made to pay. I autopost to all my social networ (fb, tw, tumblr, blogger, wordpress, g+) and 2 wp self installed. Everything run fine now.

  5. November 18, 2013 at 8:50 pmJames  Reply

    I second Quondos reply. This support is great and was very helpful. Much appreciated! Thanks!

  6. May 16, 2014 at 9:58 pmLee  Reply

    Plugin not autoposting to any network. For the last 2 weeks, I keep getting the following error even after I granted access to editor and author.

    [2014-05-17 01:52:30] - [Skipped]- User ID 1 can't autopost (see FAQ #1.7) - Post ID:(982)

    Can someone help me fix this problem?

    • May 17, 2014 at 12:11 amNextScripts  Reply

      The answer is in the FAQ - #1.7: http://www.nextscripts.com/support-faq/#q17

Leave a Reply

Logged in as - Log out

Reply to:

posted on May 2, 2013
in Development, Issues, Web Development
tagged , , ,
© 2012-2016 NextScripts.com