Hello. I found a security issue: The Gravity Forms 'settings' page is available to non-Super Admins when using Gravity Forms provided add-ons.
Before using add-ons, I could simply disable the settings page based on user role. Unfortunately, the settings pages for add-ons are tied to the same page as the Gravity Forms settings page. This means disabling the settings pages for non-Super Admins also prevents users from setting up add-ons with the appropriate account information for integration.
Another issue is that on for the add-ons the 'Uninstall' option is available at the bottom of the page for non-Super Admins on multisite networks. It's hidden on the main Gravity Forms settings page, but not on the add-on pages as it should be. I believe this is a bug.
Recommended fixes:
1) Separate the main Gravity Forms settings page and add-ons settings pages so the main page can be hidden based on user role without preventing users from setting up the add-ons. For example, make it two pages: 'Settings' and 'Add-On Settings'
2) Fix the auto-disabling of the 'Uninstall Add On' button on add-on settings pages on multisite networks just as it is disabled on the Gravity Forms settings page for non-Super Admins. Non-Super Admins should NOT be able to uninstall add-ons just like they aren't able to uninstall Gravity Forms.
I've tested on both local and live sites and tried to be as clear as possible. Let me know if I've missed anything or there are any questions.
