WordPress MU

Ozh’s Theme Toolkit allows theme authors to easily incorporate an admin menu in their themes to facilitate user customisation. It does not work too well out of the box with Wordpress MU, displaying some undesirable behaviour like the menus persisting to appear despite the user having chosen another theme. This version has been modified to work with Wordpress MU and has been tested on the r542 nightly.

Simply replace the existing themetoolkit.php with the one in the archive in all your themes (or use symbolic links if you want).

[Link]

Do let me know whether it works for you or not!

If it also works well with regular WP, you might want to let Ozh know about your mod. :) (that is, if you haven't already)

is it php5 only or does it work with php4? Just asking since I remember you posting some php5-only stuff.

it should work fine for php4... let me know cos I didnt test it on php4

ok i'm experimenting with it on fauna just now, and it seems to be working fine with php4.

awesome, thanks!

Are there any security issues when you allow your users to have their own admin menu?

sam: yes, though the issues would not be with the theme toolkit itself, it would be how the theme programmer coded it.

many issues yes. a malicious user could hack into the system very easily with his own admin menu. you can even get hacked from custom stylesheets if not careful.

Yes, that's what I was thinking about. Remember reading somewhere that hackers could use it to change lots of things if we let our users change their themes.

Any work around this problem?

well as far as allowing CSS, this is quite good:
http://freshmeat.net/projects/safehtml/
I would never allow custom php from users, under any circumstances.

the issues surrounding theme customisation and security are quite complex. very briefly and generally:

1. malicious PHP code from users. obviously you shouldn't let your users modify php code. most themes wont let you do this...don't use themes that do!

2. malicious PHP code from theme authors. use themes from a source you trust!

3. non-filtering of user input leading to malicious html. this is usually the most common problem with using customisable themes out of the box, mainly because most themes were written without considering security in a multi user environment. this might allow malicious users to do things like putting in javascript and flash, exposing your site to cross site scripting attacks.

point 3 is the tricky one, but most people with some experience with php should be able to easily modify the themes to close that hole.