i dont see how to prevent someone from seeing sensitive (my account things for example) information on a page that is intended for a current user only, ie a conditional that will only display the info for a members my account page if the current viewing person IS logged in AND is that specific user.</em.
If you have a single page called "My Account", for example at the URL https://yoursite.com/my-account/, and the page is configured to always show information about the current, logged-in User, there's nothing else you need to do here to prevent one logged-in User from seeing another User's information. You could use Toolset's Access Control features to create a post group, limit access to that post group for Guests (not logged-in Users), and allow or restrict access to logged-in Users by role. All logged-in Users would, by default, see their own private information. There would be no way for one User to see another User's information in this case, the contents would always be dynamic and specific to each logged-in User.
On the other hand, if you have a post type called "My Account" and each User creates posts for themselves and/or their clients using a front-end Form, like https://yoursite.com/my-account/client-one, https://yoursite.com/my-account/client-two, https://yoursite.com/my-account/client-three, etc., and you only want the author of each My Account post to be able to see his or her own My Account posts, then you have a some options for setting this up.
- One option is to publish posts using the "Private" post status in the Form that creates My Account posts. The private post status in WordPress is designed to prevent access to posts from everyone except Administrators and the post author. Other Users will see a 404 error if they try to visit the URL of another author's post. This is probably the most straightforward way to handle private posts, as it is a built-in WordPress feature that requires no additional programming. It is easily achieved in Forms that create posts, as well as posts published from wp-admin by an administrator.
- Another option, though usually impractical, is to use Toolset Access' post groups to restrict access to private posts by post group. Post Groups allow restrictions per group, per User role, so unless you plan to create and maintain a separate post group for every individual User, this approach alone isn't usually practical.
- A third more practical option is to use conditionals in the Content Template applied to My Account posts, along with post groups. Create a conditional that tests the current User's ID compared to the ID of the author of the current post. If the two values match, display the post contents and any custom fields you want to display. If the two values do not match, display an error message instead of the other contents. It would not be a true 404, but it would prevent one User from reading the contents of another User's My Account posts. When used together with post groups to restrict access to Guest users, this solution is very practical.
Information about Toolset's conditional blocks: https://toolset.com/course-lesson/using-toolset-conditional-block/
Conditionals can also be created using shortcodes if you do not plan to use the block editor.
Let me know if you have questions about these options and I can provide additional information.
