Read persmissions not applying in taxonomy archive

The taxonomy archive pages is showing posts that should not appear because of permissions.
Is it necessary to do anything so that the default query at archive pages does filters read access?

Posted in

Comments

8 responses to “Read persmissions not applying in taxonomy archive”

  1. José Carlos Casamitjana Vidal Avatar
    José Carlos Casamitjana Vidal

    Hi Eugen,
    thanks for your feedback.
    I have been looking at the plugin code and i think i have found a .. bug? Well, let me show what i have found, and what i suggest to fix it.
    File: groups\lib\access\class-groups-post-access.php ,
    from line 242 you have a if-else block, but in case we are on a taxonomy archive we have empty value (string “”) in $post_types, because $query->get( ‘post_type’, null ) returns empty string “” in taxonomy pages.

    So i think we must write this new ‘else if’ block, this way:

    } else if ( $query->is_page ) {
    $filter = self::handles_post_type( 'page' );
    // my fix:
    } else if ( $query->is_tax ) {
    $filter = self::handles_post_type( get_taxonomy(get_query_var('taxonomy'))->object_type[0] );
    // end of my fix
    } else {
    $filter = self::handles_post_type( 'post' );
    }

    This snippet gets the current custom post type associated with the curent custom taxonomy, since we are in its archive.

    Another way would be making use of
    add_filters(‘groups_post_access_posts_where_query_get_post_types’…)
    but i think the first method is the right one of course.

    Please, let me know what you think.
    Thanks!

    1. José Carlos Casamitjana Vidal Avatar
      José Carlos Casamitjana Vidal

      Well,
      since i haven’t got any reponse and in my opinion my fix is working fine, i assume you agree to fix this way. Anyway thank you!

      1. Hi José,

        I’m just following up today as Eugen couldn’t get back to you earlier.

        You should enable access restrictions for the standard “Post” post type (as described in the documentation here), as that will result in your setup applying the restrictions also for your custom post type in the scenario that you have outlined.

        I would certainly advise against maintaining your modified version of the Groups plugin as that would require you to apply the patch on the next release.

        In any case, your suggestion is welcome and I will have a closer look. We will issue an appropriate update once we’ve analyzed and tested a possible improvement.

        Cheers

        1. The approach taken can be seen here.

  2. Eugen Bleck Avatar
    Eugen Bleck

    Hi José,

    I trust you are doing great today.

    Thanks for explaining further. Please we would love to take a closer look at this for you. But in order to this please could you create an online clone of the site that would be really helpful.

    In the meantime, if you could also enable debug.log and share the file with us that would be great!

    I look forward to helping you on this topic.

    Kindest regards,
    Eugen.

  3. José Carlos Casamitjana Vidal Avatar
    José Carlos Casamitjana Vidal

    Thanks for your reply.
    By the way, i have Groups Restrict Categories plugin, thanks for your advice.

    The fact is that i can’t give you a link, it’s a intranet.
    Let me add a few details more. I’m logging queries: add_filter( ‘posts_request’, myfunction_that_logs, 500 );))
    in a certain part of a custom code at functions.php i do a get_posts() (i have to set suppress_filters = false) and at query log i can see the groups-read taking effect:
    ... AND wp_posts.ID NOT IN ( SELECT ID FROM wp_posts WHERE post_type IN ('nav_menu_item','articulo') AND ID IN ( SELECT post_id FROM wp_postmeta pm WHERE pm.meta_key = 'groups-read' AND pm.meta_value NOT IN ('2') AND post_id NOT IN ( SELECT post_id FROM wp_postmeta pm WHERE pm.meta_key = 'groups-read' AND pm.meta_value IN ('2') ) ) )
    ‘articulo’ is a cpt.
    But if i go in the browser to ‘categoria_articulo/{myterm}’ (‘categoria_articulo’ is my custom tax.) the sql logged that i see does not contain any clause like the above. It is not filtering with WHERE pm.meta_key = ‘groups-read’ or whatever.

    Even i have tried in functions.php the following:

    function elearning_customize_customtaxonomy_archive_display( $query ) {
    if ( is_admin() || ! ( $query->is_main_query() && is_tax() ) ) return;
    $query->set('suppress_filters', false);
    return $query;
    }
    add_action( 'pre_get_posts', 'customize_customtaxonomy_archive_display' );

    But it has no effect. And of course, it displays ‘articulo’ posts that should not.

    Hope i have explained it well.

    1. José Carlos Casamitjana Vidal Avatar
      José Carlos Casamitjana Vidal

      Just to say that there is a typo (only while writing here, not in actual code) in my last reply:
      function elearning_customize_customtaxonomy_archive_display
      should say ‘function customize_customtaxonomy_archive_display’
      The code is executing indeed before showing taxonomy page.
      Thanks

  4. Eugen Bleck Avatar
    Eugen Bleck

    Hi

    How are you doing today? I trust safe and you are doing great!

    Thanks for reaching out. To best help you, please could you provide a link to any one of the restricted posts/taxonomies or example of the instance.

    Quick info: Groups Restrict Categories plugin helps you restrict access to whole taxonomies (tags, categories) and their related posts.

    While waiting for an example post/taxonomy URL or an instance of this issue, I look forward to helping you resolve this issue and I wish you a fun and productive day ahead.

    STAY SAFE!

    Kindest regards,
    Eugen.

Share