Skip Navigation

[Resolved] Display sensitive content of page ONLY for current logged in user

This support ticket is created 3 years, 5 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
8:00 – 12:00 8:00 – 12:00 8:00 – 12:00 8:00 – 12:00 8:00 – 12:00 - -
13:00 – 17:00 13:00 – 17:00 13:00 – 17:00 13:00 – 17:00 13:00 – 17:00 - -

Supporter timezone: America/New_York (GMT-04:00)

This topic contains 1 reply, has 2 voices.

Last updated by Christian Cox 3 years, 5 months ago.

Assisted by: Christian Cox.

Author
Posts
#2102457

Don

Tell us what you are trying to do?

maybe im just not understanding this but i have looked through the documentation and although i see the steps to hide content from visitors, i dont see how to prevent someone from seeing sensitive (my account things for example) information on a page that is intended for a current user only, ie a conditional that will only display the info for a members my account page if the current viewing person IS logged in AND is that specific user. I want "private" my account pages only viewable by that specific user themselves, even if someone was to type the direct url like mysite/my-account/usernameorid in the url bar it would either redirect them or display a message that they are not authorized to view that page etc, and a public my account page, ie basically the archive of users, where the profiles and whatever data i choose to put on that archive page are viewable by anyone.... but im not understanding how to prevent a visitor, or a logged in member, from viewing the private my account page of someone else.

not sure if is relevant but i am also using the userpro plugin, which seems pretty good, but i have noticed that it creates its own "my profile" page and this is viewable from others so wanted to use conditionals to prevent things from being public....

#2102571

i dont see how to prevent someone from seeing sensitive (my account things for example) information on a page that is intended for a current user only, ie a conditional that will only display the info for a members my account page if the current viewing person IS logged in AND is that specific user.</em.
If you have a single page called "My Account", for example at the URL https://yoursite.com/my-account/, and the page is configured to always show information about the current, logged-in User, there's nothing else you need to do here to prevent one logged-in User from seeing another User's information. You could use Toolset's Access Control features to create a post group, limit access to that post group for Guests (not logged-in Users), and allow or restrict access to logged-in Users by role. All logged-in Users would, by default, see their own private information. There would be no way for one User to see another User's information in this case, the contents would always be dynamic and specific to each logged-in User.

On the other hand, if you have a post type called "My Account" and each User creates posts for themselves and/or their clients using a front-end Form, like https://yoursite.com/my-account/client-one, https://yoursite.com/my-account/client-two, https://yoursite.com/my-account/client-three, etc., and you only want the author of each My Account post to be able to see his or her own My Account posts, then you have a some options for setting this up.

- One option is to publish posts using the "Private" post status in the Form that creates My Account posts. The private post status in WordPress is designed to prevent access to posts from everyone except Administrators and the post author. Other Users will see a 404 error if they try to visit the URL of another author's post. This is probably the most straightforward way to handle private posts, as it is a built-in WordPress feature that requires no additional programming. It is easily achieved in Forms that create posts, as well as posts published from wp-admin by an administrator.

- Another option, though usually impractical, is to use Toolset Access' post groups to restrict access to private posts by post group. Post Groups allow restrictions per group, per User role, so unless you plan to create and maintain a separate post group for every individual User, this approach alone isn't usually practical.

- A third more practical option is to use conditionals in the Content Template applied to My Account posts, along with post groups. Create a conditional that tests the current User's ID compared to the ID of the author of the current post. If the two values match, display the post contents and any custom fields you want to display. If the two values do not match, display an error message instead of the other contents. It would not be a true 404, but it would prevent one User from reading the contents of another User's My Account posts. When used together with post groups to restrict access to Guest users, this solution is very practical.
Information about Toolset's conditional blocks: https://toolset.com/course-lesson/using-toolset-conditional-block/
Conditionals can also be created using shortcodes if you do not plan to use the block editor.

Let me know if you have questions about these options and I can provide additional information.