Security Settings

August 30th, 2016

There are some security settings on the Database Options page that can be confusing. Hopefully this post will clear that up. They are:

  1. Allow only Administrators to see CFDB administration screens
  2. Can See Submission data
  3. Can See Submission data when using shortcodes
  4. Can Edit/Delete Submission data

Locking down the administration console

#1 provides a quick way to lock down the administration console so that users cannot see it. You might still enable them to see data that is generated via a shortcode using the setting described below. But if you don’t want them to be able to view the administration console in the WP dashboard, set this to “false”.

Enabling Access to View Data

We’ll discuss #2 and #3 together.

Each of these can be set to a role level (Anyone, Subscriber, Contributor, Author, Editor, Administrator).

A user has a privilege if his role is equal or higher than that specified. If  ‘Can See Submission data’ is set to ‘Author’ then all users with  Author, Editor, or Administrator have this privilege.

If a user’s role allows him to have #2, then he has complete access to see all data. When logged into the WP dashboard, he will see the CFDB menus (unless #1 is set to false) . He can see all data in the CFDB administration page. He can see shortcode output meaning he has #3 privileges as well. #2 is a superset of #3. He can create his own shortcodes and export links to access the data.

A subtle point is that if a user has #2, that the value of #3 is completely irrelevant to him. #2 is a superset of #3. It therefore follows that it is not useful to set the role needed for #3 higher than that of #2.

#3 should be set to a role that is less than or equal to the level of #2. Typically #3 is set to ‘Anyone’ while #2 (and #4) is set to something high like ‘Editor’ or ‘Administrator’.

If a registered user has #3 but not #2, he will not see menu items in the WP admin area for this plugin. However if he has permission to create posts and he is knowledgeable about how to manually create short codes and of your form names, he could craft a post and put in a short code to see data. So it is not entirely secure from reading. However he cannot delete any data, even if he tries to duplicate the operation that the admin page uses to delete data.

Enabling Data Editing

#4 allows the changing of data. In the basic free plugin, this means that a user can delete data from the CFDB administration panel. If the CFDB Editor is purchased and activated, it permits editing the data. When using an [cfdb-datatable] in edit mode, the user must have this role to be able to edit.

Comments are closed.  Go To Support Forum