[Resolved] Relevanssi allows users to see other users private posts
This thread is resolved. Here is a description of the problem and solution.
Problem:
Relevanssi has some problems when it comes to checking if it can show private posts to a user, if the post is in a custom post type.
Relevanssi doesn’t actually check the what the capability to read private posts is called, but instead assumes it’s read_private_slugs, where slug is the name of the post type.
I am trying to: Add search functionality to my website using Relevanssi
Link to a page where the issue can be seen: hidden link - it works correctly when the user is not logged in
I expected to see: as a logged in user to see only my private posts, listed in my search results.
Instead, I got: other users private posts, listed in the search results. When I click on a result, I get a page not found error, which is good, but I do not want user 1 to see user 2s posts listed in the results.
The issue is described by Relevanssi here: hidden link
I'm not sure why Relevanssi assumes the capability is something different than the standard "read_private_posts", which is what is used for custom post types registered with Types.
So based upon that linked article, I suggest you try adding the code to your theme's functions.php file (or using a plugin such as Code Snippets).
I couldn't get that to work.
I have added the code, reindexed the search and it stills shows search results from other users.
I read the link you supplied and to be honest it didn't really make sense.
What would be the net step to resolve this?
Kind regards
Ray
The other thing that may be an issue is that there are multiple slugs that would need to be added.
Not sure if this is a matter of adding them sequentially to the code.
I can help you adapt the code so that it works with multiple custom post types, but I won't do that until I know the code provided by Relevanssi for a single custom post works.
I suggest you contact Relevanssi and ask them if the code sample in that article is still valid.
You can tell them that you have a custom post type registered with some slug, that uses the standard "read_private_posts" capability, and that you have tried the above code as recommended in their post.
Let me know what they say and then I can help with testing more custom post types.
Hi Nigel,
I am not sure whether to keep this ticket open or not.
I have a permissions issue that I feel needs resolution first as I am hiving difficulty getting my head around how Access Control works. I have tried different setups and in some I get excellent search results but I cannot see a users posts.
In other setups I get the opposite effect. I know there must be a middle ground, but struggling to work it out.
Looking for some advice.
Kind regards
Ray
My site will have customers and subscribers. Customers can add/edit/delete 4 out of 8 custom post types and subscribers can add/edit/delete 8/8 custom post types. All these custom posts are visible to (or should be) visible to the individual author who created them.
I have a dashboard which allows each user to see and access their posts, with edit links added to the view of each post.
The problem is, in the dashboard, that when I have the edit capability on users can see their posts, but they can edit the layout of the page and search results come up for all users, not just the authors posts. When I have the edit capability turned off, users cannot see their posts in the dashboard but when they search it only searches their results.
I am using standard Woocommerce/Wordpress roles. I tried a custom role, but I got the same results.
I hope that makes sense.
Kind regards
Ray
New threads created by Nigel and linked to this one are listed below:
This is the code I am using. add_filter( ‘relevanssi_private_cap’, ‘tssupp_relevanssi_private_cap’ ); function tssupp_relevanssi_private_cap( $cap ) { $cpt_slug = ‘job-application’ // Edit as required if ( $cap == ‘read_private_’ . $cpt_slug ) { $cap = ‘read_private_posts’ } return $cap; }
The capability Relevanssi uses is ’read_private_’ . $cpt_slug . ’s’, the plural s must be in the end. That way your code should work, if read_private_posts is the correct capability.
It doesn't quite work, it shows examples from all users, but when I click on a link I get a 404 error, which I think is good as it not showing a different users private posts.
I think I need to setup a custom search like you did in a previous example.
I'll give that a go.
I used this code as yours had extra characters in it.