Skip Navigation

[Resolved] Relevanssi allows users to see other users private posts

This thread is resolved. Here is a description of the problem and solution.

Problem:
Relevanssi has some problems when it comes to checking if it can show private posts to a user, if the post is in a custom post type.

Relevanssi doesn’t actually check the what the capability to read private posts is called, but instead assumes it’s read_private_slugs, where slug is the name of the post type.

Solution:
https://www.relevanssi.com/knowledge-base/private-posts-custom-post-types/

This support ticket is created 6 years, 1 month ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- - 14:00 – 20:00 14:00 – 20:00 14:00 – 20:00 14:00 – 20:00 14:00 – 20:00
- - - - - - -

Supporter timezone: Asia/Ho_Chi_Minh (GMT+07:00)

This topic contains 16 replies, has 3 voices.

Last updated by rayG-2 5 years, 12 months ago.

Assisted by: Beda.

Author
Posts
#616264

I am trying to: Add search functionality to my website using Relevanssi

Link to a page where the issue can be seen: hidden link - it works correctly when the user is not logged in

I expected to see: as a logged in user to see only my private posts, listed in my search results.

Instead, I got: other users private posts, listed in the search results. When I click on a result, I get a page not found error, which is good, but I do not want user 1 to see user 2s posts listed in the results.

#616273

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Hi Ray

The issue is described by Relevanssi here: hidden link

I'm not sure why Relevanssi assumes the capability is something different than the standard "read_private_posts", which is what is used for custom post types registered with Types.

So based upon that linked article, I suggest you try adding the code to your theme's functions.php file (or using a plugin such as Code Snippets).

add_filter( 'relevanssi_private_cap', 'tssupp_relevanssi_private_cap' );
function tssupp_relevanssi_private_cap( $cap ) {

	$cpt_slug = 'job-application'; // Edit as required

    if ( $cap == 'read_private_' . $cpt_slug ) {
    	$cap = 'read_private_posts';
    }

    return $cap;
}

You'll need to edit the slug of the post type in question.

#619431

I couldn't get that to work.
I have added the code, reindexed the search and it stills shows search results from other users.
I read the link you supplied and to be honest it didn't really make sense.
What would be the net step to resolve this?
Kind regards
Ray

#619432

The other thing that may be an issue is that there are multiple slugs that would need to be added.
Not sure if this is a matter of adding them sequentially to the code.

#619653

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Hi Ray

I can help you adapt the code so that it works with multiple custom post types, but I won't do that until I know the code provided by Relevanssi for a single custom post works.

I suggest you contact Relevanssi and ask them if the code sample in that article is still valid.

You can tell them that you have a custom post type registered with some slug, that uses the standard "read_private_posts" capability, and that you have tried the above code as recommended in their post.

Let me know what they say and then I can help with testing more custom post types.

#619884

Thanks Nigel.
I have contacted them and will let you know what they.
Kind regards
ray

#621748

Hi Nigel,
I am not sure whether to keep this ticket open or not.
I have a permissions issue that I feel needs resolution first as I am hiving difficulty getting my head around how Access Control works. I have tried different setups and in some I get excellent search results but I cannot see a users posts.
In other setups I get the opposite effect. I know there must be a middle ground, but struggling to work it out.
Looking for some advice.
Kind regards
Ray

#622856

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Hi Ray

Sorry, I didn't notice your last update.

Was there something specific you needed explaining?

#623073

Hi Nigel,

That's OK, I do need some further advice please.

I don't think I am quite getting capabilities.

My site will have customers and subscribers. Customers can add/edit/delete 4 out of 8 custom post types and subscribers can add/edit/delete 8/8 custom post types. All these custom posts are visible to (or should be) visible to the individual author who created them.

I have a dashboard which allows each user to see and access their posts, with edit links added to the view of each post.

The problem is, in the dashboard, that when I have the edit capability on users can see their posts, but they can edit the layout of the page and search results come up for all users, not just the authors posts. When I have the edit capability turned off, users cannot see their posts in the dashboard but when they search it only searches their results.

I am using standard Woocommerce/Wordpress roles. I tried a custom role, but I got the same results.

I hope that makes sense.

Kind regards
Ray

New threads created by Nigel and linked to this one are listed below:

https://toolset.com/forums/topic/split-limiting-post-visibility-to-own-posts-with-relevanssi-searches/

#623237

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Hi Ray, I split your last question off into its own thread as it is related but distinct.

For the issue reported here about private posts, let me know if you hear from Relevanssi about the validity of that code they shared.

#625816

This is the answer I got from relevanssi:

This is the code I am using. add_filter( ‘relevanssi_private_cap’, ‘tssupp_relevanssi_private_cap’ ); function tssupp_relevanssi_private_cap( $cap ) { $cpt_slug = ‘job-application’ // Edit as required if ( $cap == ‘read_private_’ . $cpt_slug ) { $cap = ‘read_private_posts’ } return $cap; }

The capability Relevanssi uses is ’read_private_’ . $cpt_slug . ’s’, the plural s must be in the end. That way your code should work, if read_private_posts is the correct capability.

#630835

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Hi Ray

I have re-opened this.

The advice you shared above implies a minor edit to the code provided, like so:

add_filter( 'relevanssi_private_cap', 'tssupp_relevanssi_private_cap' ); 
function tssupp_relevanssi_private_cap( $cap ) { 

	$cpt_slug = 'job-application' // Edit as required 

	if ( $cap == 'read_private_' . $cpt_slug . 's' ) {
		$cap = 'read_private_posts';
	} 

	return $cap; }
}

Do you want to test that?

#630918

Hi Nigel,

Thanks for reopening this.

It doesn't quite work, it shows examples from all users, but when I click on a link I get a 404 error, which I think is good as it not showing a different users private posts.

I think I need to setup a custom search like you did in a previous example.

I'll give that a go.

I used this code as yours had extra characters in it.

add_filter( 'relevanssi_private_cap', 'tssupp_relevanssi_private_cap' );
function tssupp_relevanssi_private_cap( $cap ) {
 
    $cpt_slugs = 'job-application'; // Edit as required
 
    if ( $cap == 'read_private_' . $cpt_slugs ) {
        $cap = 'read_private_posts';
    }
 
    return $cap;
}

Kind regards
Ray

#630994

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Hi Ray

You haven't included the extra 's' that Relevanssi said is required and which I added.

(Or rather, you have updated the variable name to $cpt-slugs, but it is the slug itself that needs to be plural.)

Just change the line with the slug to directly include the 's', i.e. $cpt-slugs = 'job-applications';

#631184

Hi Nigel,

I'm sorry, I am just not getting this.

If I use your original example:

add_filter( 'relevanssi_private_cap', 'tssupp_relevanssi_private_cap' ); 
function tssupp_relevanssi_private_cap( $cap ) { 
 
    $cpt_slug = 'job-application' // Edit as required 
 
    if ( $cap == 'read_private_' . $cpt_slug . 's' ) {
        $cap = 'read_private_posts';
    } 
 
    return $cap; }
}

I get a syntax error, unexpected 'if' (T_IF) in line 6. I am using the Snippets plugin for extra code.

If I use this code:

add_filter( 'relevanssi_private_cap', 'tssupp_relevanssi_private_cap' );
function tssupp_relevanssi_private_cap( $cap ) {
  
    $cpt_slugs = 'job-applications'; // Edit as required
  
    if ( $cap == 'read_private_' . $cpt_slugs ) {
        $cap = 'read_private_posts';
    }
  
    return $cap;
}

or this code:

add_filter( 'relevanssi_private_cap', 'tssupp_relevanssi_private_cap' );
function tssupp_relevanssi_private_cap( $cap ) {
  
    $cpt_slug = 'job-applications'; // Edit as required
  
    if ( $cap == 'read_private_' . $cpt_slug ) {
        $cap = 'read_private_posts';
    }
  
    return $cap;
}

I still see results from other users, when I am logged in as a customer or subscriber.

I am using a standard WP search widget inserted into the footer, so as not to add another layer of confusion.

Maybe I am not understanding what should be returned with search results.

Kind regards
Ray

This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.