Your cart is currently empty!
Anyone Can Acess Protected Pages
—
by
Hello,
I’m not sure if anyone is having this issue, but any one can access pages protected by Groups without logging in. I can get to them in Incognito mode.
I reported an issue with Groups File Access a couple of months ago that I traced to the get ID function allowing anonymous downloads, but this is way more serious.
It worked fine back in the Fall. The only things that have changed is WordPress 5.9 came out and Groups 2.0 came out.
Posted in Groups
Comments
12 responses to “Anyone Can Acess Protected Pages”
Hi,
It seems that your database is corrupted. We have done the following test with a new group and this works fine:
1. Created the Basic group.
2. Protected a new page “Test” protected by the Basic group.
3. Protected a new file “changelog.txt” protected by the Basic group.
Both the new page and file are properly protected when trying to access it without authorization. As to what happened to your previous pages and files, it is likely that a database corruption was caused by undue modifications. We could also see a substantial amount of database errors caused improper statements in the site’s debug.log (which has been renamed to debug.log.1 – you will find a new debug.log with additional errors which are likely due to the inconsistencies introduced earlier).
As this is not an issue caused by Groups not Groups File Access, our recommendation would be to first revert to the last working backup before those issues turned up, and then update all relevant components of the setup.
Cheers
Thank you, Kento.
Before December, all plugins were stock and unmodified. When I first noticed this problem, I made a minor change to the Files Plugin that I thought was the issue.
I will review the logs, but I have traced the root issue to _groups_user_group & _groups_file_access
If either of those tables have entries where user_id = 0, then it will allow access to users who are not logged in. Now, the question is: how did entries get created where user_id = 0?
Hi Rodd,
What I would recommend is to remove those entries that relate to zero user_ids, for your deployment they don’t make sense and shouldn’t be there. I can’t really say what might have caused those, as I don’t know about the modifications that you had in place then.
Cheers
Thanks. I removed them yesterday. Everything was stock until I first noticed this issue.
I have reverted the changes, so I am running the stock plugins. I have made a note to check those tables monthly and delete the 0 id entries.
On your end, it may be worth considering adding a if (!empty($user_id)) to the inserts on those tables.
Perfect! Thanks for the suggestion Rodd, I’ll take note to review the implications of it.
Hi Rodd,
This function has nothing to do with group-user authentication, as the class name indicates it is a utility function and besides that, a user with id 0 doesn’t exist in a WP installation, the first one usually gets the ID 1 and the value auto-increments upon each new registration.
Your issue especially since it occurs even on a browser in incognito mode is most probably related to caching or something else is wrong with the installation that keeps showing a user as logged-in even when not authenticated.
Kind regards,
George
Hi George,
There are 2 plugins issues:
1) **Groups** allows anyone to see protected pages, especially when not logged in
2) **Groups File Access** allows anonymous downloads
The Class/Function that I mentioned is for Issue 2, but I would like to focus on Issue 1.
I have spawned up a test server and all that is running is the latest Wamp, WordPress 5.9 (restored from a backup), and Groups. All other plugins have been deactivated.
When I go to my Member Only area, in a Browser with Private mode enabled, I can still get to the Private pages without logging in.
If you or Kento would like access to the test server, please let me know and I can send the info.
As mentioned, when I setup the plugin last year, you had to be signed in to view the protected pages, so something has changed in the last year to break the plugin.
Hi Rodd,
Based on what you have described it seems to me that your issue might indeed be related to caching as George has already suggested. But it seems that you have also modified the code of the plugins themselves.
There is no replicable issue in Groups nor Groups File Access that matches what you describe, so I would suggest to make certain that you use clean copies of both plugins.
If you want us to have a look at the test site you mention, we will need to make sure that both plugins are unmodified and in their latest versions. You can forward access to support at itthinx dot com – if you need any data on that test site or want to be able to recover it in its current state, please make sure to make a full backup of the site and database, as we will require both Groups and Groups File Access on the site to be replaced with the latest versions. We will likely also need to switch to a default theme to make sure that no customized functions are interfering.
Cheers
Thank you. I will send the info.
It’s a fresh install of Wamp & WordPress. The plugins are the stock ones.
Hi Rodd, thanks but it seems that we had trouble reaching the server. Can you please make sure that it is reachable so we can have a look?
Hi George,
For Groups File Access, I sent the info to your personal email on December 15.
Class: Groups_Utility
public static function id ($id)
if ($id >=0) allows for anonymous, even has a comment in the code
When changing to if ($id > 0), it worked as expected where only authorized users could download.
When version 2 of the plugin came out last month, same issue occurred, so I tried fixing the function again, but it didn’t work. Then I noticed that all my pages that were protected by Groups were visible to anyone, even when not signed in.
For Groups, this appears to have happened after version 2 came out. Pick any web browser and go into private browsing mode. When navigating the site, any page that is supposed to be protected is visible. I have sent screenshots to your personal email.
Hi Rodd,
Sorry to hear that you have an issue with Groups but this is the first report we got related to restrictions.
Can you please provide steps to reproduce your case and especially the incognito mode you mentioned? Also, which function did you locate that allows anonymous downloads, what is the Class_name::method_name or function name?
Kind regards,
George