[Resolved] Access\Security Issue again when using AJAX
This support ticket is created 7 years, 8 months ago. There's a good chance that you are reading advice that it now obsolete.
This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.
Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.
No supporters are available to work today on Toolset forum. Feel free to create tickets and we will handle it as soon as we are online. Thank you for your understanding.
The select fields are working as expected. However when I perform an AJAX search on a CPT with Guest access disabled records are being returned - Access is not restricting access to posts as it should be.
Guests are not allowed access to the CPT Locations. On the page linked to below, no records are returned when the page is loaded (which is correct). However click the search button and a 'Location' record is returned that you do not have permission to view:
I visited your site and observed the problem. I set up a test installation local with the latest Toolset updates and was able to recreate it, so I don't need to get a copy of your site from you.
I'm just checking with colleagues but I expect to escalate this as a bug for further testing by the developers and will update you soon.
Could I check for myself that the patch has been successfully applied?
I will mark your next reply as private so that I can get log-in credentials from you—you may want to create a temporary admin user for me to use that you can later delete. And be sure to have a current backup of your site, even though I don't intend to make any changes other than possibly to temporarily add a backup plugin to take a snapshot of the site.
I'm having problems with the FTP credentials you gave me, the server timed out without connecting, and I tried repeatedly.
So I logged in to the back end of your site and tried to take a snapshot of the site for local testing, but neither of the two backup plugins I habitually use were able to work (Duplicator and All-in-One WP Migration).
I really don't like adding countless plugins that all seem to leave stale records in the DB once removed - I believe Mohammed has successfully managed to download a copy of my site for a previous issue?
Although I have a backup I don't want to use it as I am making lots of small changes at present that I don't want to redo unless I need to...
I ran some more tests and found that the problem is resolved by the patch if using a WordPress archive directly for the location CPT archive, but it persists when—as you are doing—Layouts is used for the archive.
I passed this back to our developers for further research and will keep you posted.
I don't understand how this could be happening as it seems to defy access permissions that I presumed would be applied centrally within WordPress as part of WP Query (my knowledge is not great in this area).
It has never felt right that AJAX usage can bypass access permissions and makes me feel vulnerable about other ways access permissions defined through Access may not be applied.
Sorry for the delay in updating you, I can report back the findings of the developers.
Access by design works with single posts and pages, controlling views and archives was not covered by Access. It was agreed, however, that controlling archives—including when viewed via ajax—should be covered, and this has been added to an upcoming bug-release minor update which will be released soon was testing has been finalised.
That should fix your issue. If you have any continuing problems when you update then please let me know here. (I don't know exactly when the update will be released, but you will see an update notification on your plugins page.)
Last night we rolled out minor-version updates of several plugins of the Toolset suite, which should have fixed this problem (as described in my last update).
Be sure to have a current backup available and then apply all of the Toolset updates, and then re-test.
If you still see the problem then please let me know so I can investigate.
This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.
