2054 posts
  • Affiliate Level 3
  • Author Level 11
  • Collector Level 2
  • Elite Author
+11 more
bitfade
says
ParkerAndKent said
Yeah, I know, I thought about this. The live preview is running on a different sub domain… while I’ve created specific sub domains and installations for the test drive themes.

There isn’t any access to any script, what could you think can be an entry point?

Thanks!
the important thing is the two must have different site roots (not like 2 subfolders sharing a parent folder)

by granting user access to the admin area, you’re giving them addition additional privileges
if a vulnerability is found, they could use it to escalate those privileges, exploit a read-only rule imposed by wordpress and being able to upload a file.

once that is done, you can kiss goodbye your whole wp installation.
3256 posts
  • Affiliate Level 4
  • Author Level 9
  • Collector Level 2
  • Top Monthly Author
+11 more
ParkerAndKent
says
bitfade said
ParkerAndKent said
Yeah, I know, I thought about this. The live preview is running on a different sub domain… while I’ve created specific sub domains and installations for the test drive themes.

There isn’t any access to any script, what could you think can be an entry point?

Thanks!
the important thing is the two must have different site roots (not like 2 subfolders sharing a parent folder)

by granting user access to the admin area, you’re giving them addition additional privileges
if a vulnerability is found, they could use it to escalate those privileges, exploit a read-only rule imposed by wordpress and being able to upload a file.

once that is done, you can kiss goodbye your whole wp installation.

Well, no, they have different root… all the sub themes activated for the users will be in the same one, but that’s obvious. I’ll give full privileges, limited to a network theme of course.

I will activate a theme by invitation, so i hope this will avoid me problems. at least i will know each user…

At least I will save you guys trying this thing for the first time :p

2054 posts
  • Affiliate Level 3
  • Author Level 11
  • Collector Level 2
  • Elite Author
+11 more
bitfade
says
ParkerAndKent said
At least I will save you guys trying this thing for the first time :p
damn! i should have kept my mouth closed ….
3256 posts
  • Affiliate Level 4
  • Author Level 9
  • Collector Level 2
  • Top Monthly Author
+11 more
ParkerAndKent
says
bitfade said
ParkerAndKent said
At least I will save you guys trying this thing for the first time :p
damn! i should have kept my mouth closed ….

Why? :)

407 posts
  • Top Monthly Author
  • Weekly Top Seller
  • Elite Author
  • Author Level 9
+7 more
EugeneO
says

It’s an interesting idea. If anyone figures out a secure way to approach it I would be interested in trying it out with my themes.

2054 posts
  • Affiliate Level 3
  • Author Level 11
  • Collector Level 2
  • Elite Author
+11 more
bitfade
says
ParkerAndKent said
Why? :)
i quoted the wrong part ….
ParkerAndKent said
I will activate a theme by invitation, so i hope this will avoid me problems. at least i will know each user…
coz i had planned to exploit your demo site and put “pwned!” banner in there :evil:

seriously, being a sysadmin, i’d never implement such things even if tortured
if invitation only, it could be ok security wise but i can see 2 problems:

1 – too much work on your side
2 – “why i’m not allowed to ?” kind of buyer question
3256 posts
  • Affiliate Level 4
  • Author Level 9
  • Collector Level 2
  • Top Monthly Author
+11 more
ParkerAndKent
says
bitfade said
ParkerAndKent said
Why? :)
i quoted the wrong part ….
ParkerAndKent said
I will activate a theme by invitation, so i hope this will avoid me problems. at least i will know each user…
coz i had planned to exploit your demo site and put “pwned!” banner in there :evil:

seriously, being a sysadmin, i’d never implement such things even if tortured
if invitation only, it could be ok security wise but i can see 2 problems:

1 – too much work on your side
2 – “why i’m not allowed to ?” kind of buyer question

Ahahah, I trust people… my bad :)

1: Not really, just 1 click 2: Everyone can have a theme activated, just need to send me an email ;)

PS

If you have any tip to improve security share it my dear sysadmin! :D

1012 posts
  • 5 Years of Membership
  • Affiliate Level 2
  • Author Level 5
  • Collector Level 2
+8 more
wizylabs
says
ParkerAndKent said
wizylabs said
Hmm nice idea, but again its almost impossible to protect your code completely! Maybe a better idea would be a multisite for your theme, on your own server, that allows users to create a new instance of the theme with their own username/pass etc.. then you have full control of what they see as new users (theme instances, ie sites) created can be limited to certain capabilities etc…

I agree about code protection, in fact the main goal of this post is to find (if any) the best way to achieve this. I mean, not everybody is skilled enough to clean the code from the protections… only advanced users could be able to achieve so.

A multisite installation is also a good idea… but correct me if I’m wrong. You, as admin of the network, would need to create each theme installation manually for each user asking for a demo, right?

not really, everything can be done programmatically in WordPress. You can prepare a landing page for your network site that has a register form for users seeking demos etc…

It wont be hard, you can even require a envato api to make sure that the user is from envato and can chase him up later on!

3256 posts
  • Affiliate Level 4
  • Author Level 9
  • Collector Level 2
  • Top Monthly Author
+11 more
ParkerAndKent
says
wizylabs said
ParkerAndKent said
wizylabs said
Hmm nice idea, but again its almost impossible to protect your code completely! Maybe a better idea would be a multisite for your theme, on your own server, that allows users to create a new instance of the theme with their own username/pass etc.. then you have full control of what they see as new users (theme instances, ie sites) created can be limited to certain capabilities etc…

I agree about code protection, in fact the main goal of this post is to find (if any) the best way to achieve this. I mean, not everybody is skilled enough to clean the code from the protections… only advanced users could be able to achieve so.

A multisite installation is also a good idea… but correct me if I’m wrong. You, as admin of the network, would need to create each theme installation manually for each user asking for a demo, right?

not really, everything can be done programmatically in WordPress. You can prepare a landing page for your network site that has a register form for users seeking demos etc…

It wont be hard, you can even require a envato api to make sure that the user is from envato and can chase him up later on!

Hi,

yes, thanks… I’ve already installed everything and tested… it works like a charm :)

Parker

610 posts Themes and Graphics
  • 6 Years of Membership
  • Affiliate Level 3
  • Author Level 9
  • Beta Tester
+11 more
Bebel
says

it’s a good addition if done right. All of you know these comments “Can I do this and that in the backend…” People could simply try it out. There would be less complains after purchase as well because everyone really knows what he is getting…

by
by
by
by
by
by