Added check to verify that plugin diretories are owned by root

apps/dashboard/config/application.rb

@@ -52,6 +52,8 @@ class Application < Rails::Application
     if plugins_dir.directory?
       plugins_dir.children.select(&:directory?).each do |installed_plugin|
         next unless installed_plugin.readable?
+        # Ignore plugins not installed by admins - plugin directory should be owned by root
+        next if ::Configuration.rails_env_production? && !File.stat(installed_plugin.to_s).uid.zero?
 
         config.paths["config/initializers"] << installed_plugin.join("initializers").to_s
         config.autoload_paths << installed_plugin.join("lib").to_s

apps/dashboard/config/configuration_singleton.rb

@@ -428,6 +428,10 @@ def connect_sources
     sources
   end
 
+  def rails_env_production?
+    rails_env == 'production'
+  end
+
   private
 
   def can_access_core_app?(name)

apps/dashboard/test/config/configuration_singleton_test.rb

@@ -535,4 +535,20 @@ def no_config_env
       assert_equal(30_000, ConfigurationSingleton.new.bc_sessions_poll_delay)
     end
   end
+
+  test "rails_env_production? should return true if production environment" do
+    with_modified_env(RAILS_ENV: 'production') do
+      assert ConfigurationSingleton.new.rails_env_production?
+    end
+  end
+
+  test "rails_env_production? should return false if development or test environment" do
+    with_modified_env(RAILS_ENV: 'development') do
+      refute ConfigurationSingleton.new.rails_env_production?
+    end
+
+    with_modified_env(RAILS_ENV: 'test') do
+      refute ConfigurationSingleton.new.rails_env_production?
+    end
+  end
 end