Shared FileMaker Server Hosting and Plugin Security
Why? Because a plugin can do anything. Actually the Send Event command itself to run command line tools does the same trouble. If two people develop on one server, they can write scripts which provide trouble to others. Simple things as deleting/moving files. Or more dangerous ones like importing one database into a container field of another database. Yes, that's possible! Because both command line and plugin are not aware of the permissions and security settings you defined.
If you install a plugin on a server, people can use all the commands in the plugin. e.g. FTP all databases to a FTP server, copy all the files in unencrypted external containers or even damage the server installation.
The problem is not new and exists since FileMaker has a server with command line and plugin access. But after getting you worried, we want to show you a possible solution:
For the MBS Plugin we want to provide more control. You can already use the Plugin.SetFunctions function. This function allows you to limit the available commands. So if the people on your server only use the MBS Plugin to email newsletters, you can only allow the email commands. All other commands can be disabled. This happens by passing a list of allowed function names to Plugin.SetFunctions. You do this normally when server starts and you register the plugin in a script. Once the plugin removed a function from the internal dispatch list, you can no longer call it. This is reset only when the server restarts.
With version 5.4 we add more commands. The Plugin.LockFunction allows you to disable a function and later unlock it in a script where you need it. This way you can limit the availability of functions for the time a script runs. The Plugin.LimitFunction on the other side can limit the execution of a function to a list of allowed user accounts, privilege sets and script names. For example you could only allow a backup script to use Files.Delete function. For this you could define that only accountName = "Admin" and ScriptName = "Maintenance.fmp12:NightlyBackupFTP" would be allowed to delete files. You can store those limitations in a table and apply them to a plugin functions on server startup. Once limited there is no way to remove the limit unless you restart server.
We do hope people are aware of the potential issues. Please make sure you only allow others to share your server with the respect and trust. Our plugin functions may help to make it more difficult to abuse them.