Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+1 vote
in Q2A Core by
edited by
Wow! What a security hole!

When you activate the new plugin for the first time and it needs some changes in the database, they can be activated by any visitor.

2 Answers

+2 votes
no only admin can active plugin. if it is different for you, you shoukd check your permission settings.
+1 vote

Yes, it's technically true that anyone could run the upgrade, however it's not really a security hole.

Firstly, your visitors will never see the upgrade page unless the plugin causes an error on the front end of the site. So nothing will happen unless a visitor specifically visits the URL (which is only linked from admin, nowhere else) in the few seconds between you activating the plugin and clicking the upgrade link yourself.

Secondly, it only does database upgrades as defined by the plugin (or core Q2A in the case of a Q2A version upgrade). There is no way for someone to change the queries being run so they cannot add or delete whatever they want.

See this page from the docs for more details, and a server solution to ensure only you can do the upgrade.