AJAX Security & Filtering Issue

This support ticket is created 7 years, 8 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

No supporters are available to work today on Toolset forum. Feel free to create tickets and we will handle it as soon as we are online. Thank you for your understanding.

Sun	Mon	Tue	Wed	Thu	Fri	Sat
-	9:00 – 10:00	-	-	-	-	-
-	-	-	-	-	-	-

Supporter timezone: Africa/Cairo (GMT+02:00)

Tagged: Views plugin

This topic contains 8 replies, has 2 voices.

Last updated by Tristian 7 years, 8 months ago.

Assisted by: Mohammed.

Author

Posts

August 18, 2016 at 11:39 am #425815

Tristian

When using AJAX to filter\update view results, all records for the Custom Post Type are being returned regardless of permissions or filtering.

If I stop using AJAX and use a full page reload for results then things work as expected (AJAX is required however!)

Regardless of security (Access plugin), a guest disabled from accessing posts for a given CPT can return a list of all posts by simply clicking the search button. Here is an example:

'Locations' are a CPT with permissions defined by access to restrict guest access. I have 1 'Select' field that is filtering based on status. Clicking the link below shows no results but clicking 'Search' shows all 4 records even though you do not have permission (defined through Access) and the results are not updated based on the filter:

hidden link

This URL above allows testing of both the security and select field issue - guest user should not have access to these records, and even if they did the Select filter should restrict access to some records. In all cases all records are returned.

I initially believed it may be a WPEngine Caching issue (my host) and discussed it thoroughly with them. It does not appear to be because:

- Issue exists on Live Site
- Issue exists on Staging site (no caching)
- Issue exists when logged in (no caching)
- Issue exists with pages excluded from caching
- AJAX calls bypass their caching
- They say AJAX should work with no issues
- Issue is resolved if I remove AJAX
- have tried manually purging all caches with WPEngine

I previously logged this issue here:

https://toolset.com/forums/topic/parametric-search-not-working-for-select-fields-other-fields-working-ok/

This patch did not help:

https://toolset.com/errata/views-ajax-pagination-fails-form-results-rendered-separatedly/

Also tried:

- disabling all other plugins (only Advanced Custom Fields other than Toolset plugins)

- tried with just Types\Views plugins enabled

- I am using Toolset Starter Child Theme

- same problem with any theme including 2016

- searched extensively through support forum including other WPEngine posts. I can see some people have issue with 'Select' fields, but cannot see an issue where all results are being shown as well. The recommendations from their posts did not resolve my issue.

- removed anything custom from functions.php

- fully deleted Toolset plugins and downloaded latest versions from website

- tried in an 'Archive page' with a view:
hidden link

- tried in a page with a view:
hidden link

In all scenarios the same issue exists when using AJAX.

Any help really appreciated,

Thanks, Tristian

August 19, 2016 at 10:07 am #426057

Mohammed

Hello Tristian,

I’m Mohammed, the Toolset support team leader. I’ll give my best to help you to achieve your needs through Toolset components.

I think that this is not related to the issue you've mentioned: https://toolset.com/forums/topic/parametric-search-not-working-for-select-fields-other-fields-working-ok/

This one is related to Access plugin and of course, we should check and fix. Do you agree?

I will check our internal queues for this to see if it's previously reported.

Please wait and I will get back to you again.

Thanks.

August 19, 2016 at 10:33 am #426061

Tristian

Hi Mohammed,

Thanks - it would be great to get some help on this.

I feel this is more of an AJAX issue than an access issue. If I do not use AJAX to update the form than things work fine.

Also, when I filter using a Select field then nothing happens (all records are returned with no filtering) which again doesn't sound like Access.

Essentially, when using AJAX to filter by a Select field both parametric filtering and Access restrictions seem to be bypassed.

Things seem to work as expected when filtering by a standard text field or when not using AJAX.

I can provide access to the site if needed.

Many thanks

August 19, 2016 at 11:37 am #426089

Tristian

Also, even with Access disabled the Select field is not filtered properly. Just seems when AJAX is being used with a Select field then all posts are being returned every time...

I can provide site access and links to relevant views\pages to demonstrate?

August 19, 2016 at 12:27 pm #426104

Mohammed

Hi Tristian,

I'm not able to replicate your issue locally since the configurations you've mentioned work properly with me.

Here are my configurations:
- Created custom post type
- Created select custom field and attached it to the post type
- Created a view with parametric search
- Selected " AJAX results update when visitors click on the search button"
- Added a filter that depends on the created field
- Activated access and prevented guests from accessing the post type
- Created a page and inserted the view into it
- Tested as admin and guest, everything went well because I couldn't see any posts when I accessed as a guest and filtered also with the different values of the custom select field.

Please let me know if I miss anything and guide me to replicate the issue.
To save the time, please provide me the access details to your admin dashboard. I will set the next reply as a private one for that.

August 22, 2016 at 11:48 am #426703

Tristian

Hi Mohammed,

I provided access details on Friday - have you had a chance to take a look?

Can you see the issue?

Thanks,

Tristian

August 22, 2016 at 12:41 pm #426719

Tristian

Although this is happening to all views with AJAX I have re-created the view I linked to previously and deleted the old view. Same problem but updated URL's:

View where AJAX filtering defined:

hidden link

Link to front-end where View is displayed through a layout:

hidden link

Thanks

August 22, 2016 at 5:35 pm #426835

Mohammed

Hi Tristian,

I've exported all your toolset settings into my local installation and I succeeded to replicate the issue !!

I was able to make the filter works properly by replacing the Location status filter.
When I added the filter , I selected "Select" instead of "Types auto style" .

The filter should be the following:

[wpml-string context="wpv-views"]Location Status:[/wpml-string] [wpv-control field="location-status" url_param="location-status" type="select" auto_fill="wpcf-location-status" auto_fill_sort="asc"]

Please test that and let me get your feedback.

Thanks.

August 23, 2016 at 11:38 am #427058

Tristian

Hi Mohammed,

Thanks for the info. Making this change resolves the main issue which is great 🙂

It leaves me with a few questions about why AJAX usage has different results, and I would have imagined that Access would have restricted access to posts the user doesn't have permission to view regardless of AJAX or Select field settings... so I presume there is a bug of some description.

However my aim was to get things working for this project and they are now with this work around.

Thanks for your help.

This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.