Skip Navigation

[Resolved] pages and posts are accessible when they shouldn't be.

This support ticket is created 5 years, 8 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- 10:00 – 13:00 10:00 – 13:00 10:00 – 13:00 10:00 – 13:00 10:00 – 13:00 -
- 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 -

Supporter timezone: Asia/Kolkata (GMT+05:30)

This topic contains 15 replies, has 2 voices.

Last updated by malagaS 5 years, 8 months ago.

Assisted by: Minesh.

Author
Posts
#1212864

I am trying to: lock down toolset post types and pages

Link to a page where the issue can be seen:

I expected to see:

Instead, I got: am able to browse and search posts and pages

#1212866

this is critical. not only is the content accessible on the front end, but it's editable. these are post types that, in access settings, are not even readable by anyone by admin.

#1212911

Minesh
Supporter

Languages: English (English )

Timezone: Asia/Kolkata (GMT+05:30)

Hello. Thank you for contacting the Toolset support.

Well - could you please share screenshot of your access setting page for your post type and tell me exactly where it's accessible?

Do you mean that it's accessible using Front-end Form edit link or in admin?

#1212912

it's completely browsable and searchable through the front end of the browser so i don't want to post it publicly.

#1212914

Minesh
Supporter

Languages: English (English )

Timezone: Asia/Kolkata (GMT+05:30)

ok - I have set the next reply to private which means only you and I have access to it.

#1212920

this url has all the objects that should not be accessible to the public: hidden link
and if you search on the front end of the site using the regular search tool and type in for example 'sfotb' it returns all the items.

but i've set the post types all to admin only (for all 3 post types involved) and i've created a access group that's set to admin only and i've added the pages to that (and i think views too? - i've done everythign i can think of) - i've also tested incognito so i don't think it's cache problem.

#1212922

Minesh
Supporter

Languages: English (English )

Timezone: Asia/Kolkata (GMT+05:30)

Well - what if you try to set the setting "exclude_from_search" from :
=> Toolset => Post Types => Edit your post type => Options sectoin => checkmark the checkbox "exclude_from_search" and save post type

Please check the following screenshot:
=> hidden link

#1212923

i almost did that but i'm a little bit terrified that just removing read access from the post type isn't enough. i have to go back through my other websites if that's the case.

#1212924

Minesh
Supporter

Languages: English (English )

Timezone: Asia/Kolkata (GMT+05:30)

Yes - this is expected because if you click on any post after search that shows as search result:
=> hidden link

You will see "Error 404 Page" because Guest user do not have read permission. To exclude the posts from search results you need to set the option from post type that I shared. This is how it actually works and what you see was expected results.

#1212925

this wasn't happening before - i was able to see the page. ok - so i just need to eliminate it from search. thanks.

#1212926

but the page with the table output still shows.

#1212932

also, after changing the search settings on the post types i'm getting this when clicking edit from the front end edit link: Form type and post type do not match

#1212933

Minesh
Supporter

Languages: English (English )

Timezone: Asia/Kolkata (GMT+05:30)

but the page with the table output still shows.
=> When I try to access that page now I see "Error 404 Page."

after changing the search settings on the post types i'm getting this when clicking edit from the front end edit link: Form type and post type do not match
=> That is a different issue. I'm splitting the ticket here.

Please feel free to close this one.

#1212936

i think part of my issue is caching - sorry. so it seems ok - on the 2nd issue i had unchecked publicly_queryable. i changed that and it's working.

#1212939

Minesh
Supporter

Languages: English (English )

Timezone: Asia/Kolkata (GMT+05:30)

So, all sorted - right?