[Resolved] Administrator only pages still viewable by guests

[Author]

Posts

[markR-11]

I am trying to: Set a few pages that will only be accessed by administrators. I have done this using custom post group labeled: 'XXXXXX Admin Only'. I add the two pages to the custom post group, and then deselect all other access roles except Administrators. I save, but the pages are still accessible when not logged into the site (tested in Chrome Incognito). Even when I try the Preview option for those without access, it still shows as accessible.

Link to a page where the issue can be seen: hidden link & hidden link

I expected to see: 404 page when not logged in. The actual page content when logged in as an administrator.

Instead, I got: The page was accessible when not logged in.

[Nigel]

Hi Mark

I tested this locally and didn't find any problems.

On your site I could see the issue. I published a new page ("Hidden") just containing a little text, and set up a new post control group to make this only visible to admins, but guests can see it.

Is this site live? Or do you have a staging site?

Before going any further, can you please update your plugins (including Access) to current versions, and check again.

If the issue persists, disable all non-Toolset plugins and also switch theme to twentyseventeen. It looks like something may be conflicting with Access, and it should be possible to determine what by a process of elimination.

Let me know what you find.

[markR-11]

Hey Nigel,

Yes, this is a live site.

I tested on our staging environment (albeit, a bit out dated since launch a few weeks back) and it works just fine. It doesn't work here though. Plugins almost completely match between the two, but, I deactivated those that were not the same, and it still remained the case whereby administrator only pages were still being shown.. I haven't done a complete run through yet, but will. Theme is the same for both, although the live one has a few more custom functions in it for CRED forms.

One different that stands out is that the live site is https while the staging site is http.

I'll update after I have gone through a bit more fine-toothed, but in the meantime, let me know if anything else stands out as a possibility.

Thanks,
Mark

[Nigel]

Hi Mark

I set up a secure site with https:// and it didn't make any difference.

Let me know if you find anything.

If you can't, I will need a copy of the live site where you see the problem, which I can install locally to see if I still see it there.

hidden link

(If you make a copy, be sure to exclude the uploads directory to keep the file size down.)

[markR-11]

Hey Nigel, been out of commission, so apologize for the late reply.

I am in the midst of validating this on another webhost, although our outdated staging site doesn't appear to exhibit the issue. Main difference between them is the webhost.

I'll update here shortly.

-Mark

[markR-11]

Migrated the Live site over to Staging server, and the same issue is occurring there. I then proceeded to do the following:
Switch Theme to TwentySeventeen
Disable every Plugin except for the toolset plugins.

Issue still occurs, I can access the page that is set only for Administrators as a guest user (not logged in).

Working on getting you a copy of the site here. Do I need to use duplicator (it keeps failing to build)?

-Mark

[markR-11]

Alternatively, I can give you complete access to this on the staging server to work through, if that is fine?

-Mark

[Nigel]

Hi Mark

I'm currently trying to take a copy of your site with All in One WP Migration instead of Duplicator, it tends to have less problems, so I'll be able to check out both problems while testing locally.

I'll get back to you once I have it installed locally and can test.

[Nigel]

I'm going to escalate this so my colleagues can investigate further, because everything appears to be set up correctly but it is not working. I'll prepare a slimmed down version of the site for them to install then escalate.

[markR-11]

Thank you Nigel!

[Nigel]

Hi Mark

My colleague reports that somehow the database content for the post group settings seems corrupted.

It is not clear how it happened, but he suggested deleting the current post groups and making new ones.

An effort, but I tested it and it worked on my local copy of your site.

(It is not enough to add new post groups—as I had when testing—you need to delete the current ones.)

Can you try the same and report back to me?

[markR-11]

Hey Nigel,

Sure thing -- just to confirm, delete all the current 'Post Groups' (I had three listed, Members, xxxxx Admins Only, and Toolset Testing), and then recreate?

Cheers,
Mark

[Nigel]

Yes, that's right.

[markR-11]

Hey Nigel,

I did exactly as prescribed, deleted all three post groups, and then recreated the two of them. This did not resolve this. I did this in production, but then decided to do this all on the dev/staging environment as not to have unforeseen circumstances occur.

Deleted Members, XXXXX Admins Only, and Toolset Testing in Production

- Recreated Members, noticed that when I did this, some of the previous settings of Members were shown by default. Specifically that I had a redirect to a custom page set for 'Guests'. I set everything back the way it was, added the same pages/posts, and set the same access rules for roles. This worked as it was before.

- Then recreated XXXXX Admins Only. Added the same pages, set same access rules for roles. Unfortunately guests can still see the pages, so this is still not working.

I then went to my dev/staging site, and continued testing.

Deleted Members, XXXXX Admins Only, and Toolset Testing in Staging

-Recreated XXXXX Admins Only, but labelled it The Admins. Set it up with the same pages, same access rules for roles. This did not work.

-Recreated Members, but labelled it Members Only Area. This time, none of the previous settings of Members were shown by default. Set everything up. This section worked fine.

So I began to experiment a bit here, and removing/adding pages/posts to see if the issue was with specific pages. That didn't help. Okay, next up was new tests, and testing after each step.

Deleted post groups in staging

-Made new post group, Hidden. Added a page to it. Saved, tested viewable to guests.

-I then unchecked Guests. Saved. Page is no longer viewable to guests.

-I then updated the read global view for those not allowed by the post group from the edit/pen icon at the top of the post group section. Chose 404. Saved. Page is viewable to guests again.....Hmm

-Then changed Read - 404 to Read - Layout Template, and picked the template that I have which redirects to the login screen. Saved. Page is not viewable, is now redirecting to the login screen.

There is a bug here for some reason, and it appears to be associated with selecting '404' as an option. If i don't select it, Access Control appears to function normally. I went and applied this in production, and this resolved the issue, although, is not the preferred solution as I'd prefer the 404 work.

Perhaps this is something that could be dug into a bit further, to identify where the issue is?

Thanks as always Nigel,
Mark

[Nigel]

Hi Mark

I did some more testing on my copy of your site, which I was able to reproduce on a local test site (with updated plugins, yours are not up-to-date, but it doesn't matter for this bug).

I've reported the findings now that I'm able to consistently reproduce it.

Note that there only appear to be problems with the 404 when you create a new Post Control Group, assign a template to display to guests, then change your mind and try to revert back to displaying a 404.

If you create a new group and accept the default 404 at the outset and don't otherwise change it, it should work. (I didn't test with multiple groups, where *one* of the groups may have been edited to use a template at some point.)