Add a warning to WordPress Access Control if max_input_vars is too low
I haven't trusted the WordPress Access Control page since I saved a change and all hell broke loose with permissions. I think this was because max_input_vars was too low in our PHP settings. This had the effect of assigning spectacular access to roles that shouldn't have had it.
We have 23 roles and 95 permissions, so there are in theory at least 2185 variables on the page. The default for max_input_vars is 1000. I'm not sure whether empty checkboxes are submitted as variables, though.
Is this worth warning people about? It's a security risk if you don't notice.
I've written a quick check for it. Does this seem sensible? I can submit a PR, but just wanted to run it past people here.
//check that we aren't above max_input_vars
$maxInputVars = ini_get('max_input_vars');
$varsOnThisPage = count($permissionsArray) * count($wp_roles->role_names);
if ($varsOnThisPage > $maxInputVars) {
CRM_Core_Session::setStatus("Submitting this page may have unexpected consequences for role permissions. " .
"You should increase the max_input_vars parameter in your PHP settings. " .
"There are $varsOnThisPage options on this page, but your max_input_parameter is $maxInputVars.", 'Warning', 'alert');
}
(I know this particular page is in Core rather than this plugin, but the WP repo seemed like a sensible place to ask)