‘user_can_read’ returns true

May 8, 2017

—

Sebastian

Hi,

I am currently relying on

Groups_Post_Access::user_can_read_post($post_id, $user_id);

this returns true even if a user has no access to a post which is in a restricted category.

I also tried

Groups_Restrict_Categories::user_can_read($post_id, $user_id);

This behaves even more strange: If I check when current user is admin (user id 1) for anonymous user (user id 0) the result is FALSE (correct).

# Current user is Admin (User ID 1) wp> Groups_Restrict_Categories::user_can_read(269, 0); => bool(false) # => CORRECT!

If I run the function as anonymous user, it returns TRUE (incorrect).
# Current user is Admin (User ID 1) wp> Groups_Restrict_Categories::user_can_read(269, 0); => bool(true) # => INCORRECT!

I investigated a little bit and I think this is because get_terms() function is filtered and returns no terms if current user has no access to these terms.

Please help me to find a way to check if a user has access to a post. Thanks.

Update:

In class Groups_Restrict_Categories the method user_can_read returns an empty array for the post’s term if current user has no access to terms. So it makes no sense to check for these categories.
It could be fixed by temporarily removing the filter list_terms_exclusions before get_the_terms.

I fixed it myself by filtering “Groups_Post_Access::user_can_read_post”.

Posted in Groups Restrict Categories

Comments

3 responses to “‘user_can_read’ returns true”

George

May 30, 2017

Hi Sebastian,

There is a new update on Groups, please have a look at Groups 2.2 and repeat your tests.

Cheers,
George
Sebastian

May 8, 2017

I guess it is the latest version as there are no updates pending. (Groups v2.1.2 / Groups Restrict Categories v2.0.1)

I think you should really review Groups_Restrict_Categories::user_can_read because it will provide access to a post when a user is not authorized to view that category.

You have to remove the filter list_terms_exclusions before get_terms as you removed this filter in the method get_user_restricted_term_ids in the class Groups_Restrict_Categories.

The bug may be not easy to find but you can easily check it via wp-cli:

$ wp shell --user-id=1 wp> Groups_Restrict_Categories::user_can_read($restricted_post_id_via_category, 0); => bool(false) # => CORRECT!

$ wp shell wp> Groups_Restrict_Categories::user_can_read($restricted_post_id_via_category, 0); => bool(true) # => INCORRECT!

best regards

Sebastian Becker
George

May 8, 2017

Hi Sebastian,

I’m glad you found a fix for your issue.
Although i didn’t get the same results during my tests, which versions of the plugin do you use?

Kind regards,
George