[Résolu] Access Control Issue with front end and WP_Query

[Auteur]

Publications

[grantD]

I have a post type called Fulfillments that has a custom front end solution our admins use to fulfill orders made in our system. The post type itself needs to only be visible to admin users as it contains sensitive customer information that should not be public.

Restricting this with Access was quite straightforward but after doing so we started running into another issue.

We run some scripts on WordPress cron jobs that poll that fulfillment information to send out reports. After restricting the access to the fulfillment post type these scripts began to fail. Looking closely at this we've found that something (we're pretty sure that it's Access) has added the following snippet to our WP_Query

AND wp_posts.post_type <> 'fulfillment'

Which causes our query to return no results and breaks the rest of the script.

The full WP_Query request generated with Access control active is below:

SELECT   wp_posts.ID FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id ) WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'wpcf-booking-reference' AND wp_postmeta.meta_value IN ('RN0N9AM','RHFTCW0','RCJEZ1D','RZGE0E6','R6WSB2K','RBHRZNN','RSBSGLN','RRU2KYG','RUSUWM8','R2LH0W1','RMCCTU1','RLUXH8L','R0AGB1U','RUNFQ91','RY1AYPQ','RWWAVQM','RQ97SGV','RS62MKJ','RJ11V3U','R05HQR9','RLWTL30','R0AUE6Z','R0E4MW1','RLBJUUR','RLERS4F','RMWTYWC','R0NDBUD','RL08NM6','RQQ5WMN','RJ0H1ZM','RTRY0N5','RT6TV11','RSGUAE1','RY3H64N','RWKBV8A','RVXVRFW','RH5G4F1','RTCHGKJ','RYSHHPQ','RRDD0WR','RVLNHSF','RC2VAPB','RHZU6J1','R1VBLWK','RS0YXCD','RPWQ7C0','R1GFDQ1','RTEM1EZ','RGRL3QD','RDDXYH0','RGWJAXK','RXJ7YM9','R391J7E','RKF31JY','RTDFSFX','RNPNY2E','RZR7Z1Z','R3FSW05','RVVZ151','RGH0PBA','RLT9KSC','R0TWVXG','RUNETGQ','RUK0MR6','RHZSRH6','RWJEZHA','RFC9N4K','RZNYTLH','RHZ17UK','RFXNWNQ','R6C6Z7A','R1KHMVP','RA57JLC','R0R2948','RBRBKUK','RQBFEDU','RUAELN2','RVR90W4','R0UDW2G','RYSE787','RMLUER9','RNE0WJE','RRJ9ENM','RNB48UR','R7JDXKC','RAY3JJN','RLVQ9TB') )
) AND wp_posts.post_type = 'fulfillment' AND (wp_posts.post_status = 'publish') AND wp_posts.post_type <> 'restaurant' AND wp_posts.post_type <> 'fulfillment' AND wp_posts.post_type <> 'restaurants-to-order' GROUP BY wp_posts.ID ORDER BY wp_posts.post_date DESC 

What we need, is a way to continue blocking access to the fulfillments on the front end of the site but allow our cron code to still be able to query the post type. Any ideas?

[Minesh Supporter Languages: Anglais (English ) Timezone: Asia/Kolkata (GMT+05:30)]

Hello. Thank you for contacting the Toolset support.

Well - As you are running CRON and this needs to debug. Can I have access details and could you please tell me where the CRON file is located and steps to execute it.

*** Please make a FULL BACKUP of your database and website.***
I would also eventually need to request temporary access (WP-Admin and FTP) to your site. Preferably to a test site where the problem has been replicated if possible in order to be of better help and check if some configurations might need to be changed.

I would additionally need your permission to de- and re-activate Plugins and the Theme, and to change configurations on the site. This is also a reason the backup is really important. If you agree to this, please use the form fields I have enabled below to provide temporary access details (wp-admin and FTP).

I have set the next reply to private which means only you and I have access to it.

[Minesh Supporter Languages: Anglais (English ) Timezone: Asia/Kolkata (GMT+05:30)]

Well - in your first post you said that you are running some cron jobs but you said you do not have script with you.

We would like to know what action you are performing so that those queries are fired? Any custom script or CRON job or anything else - how you managed to fire query for "WITH READ ACCESS ENABLED FOR GUESTS:" to get results.

[grantD]

Hi Minesh,

The code used to generate the queries above is here.

$bookingargs = array(
			'posts_per_page' => -1,
		  'post_type'  => 'fulfillment',
		  'fields'		 => 'ids',
			'meta_query' => array(
				array(
					'key'     => 'wpcf-booking-reference',
					'value'   => $bookingIDs,
					'compare' => 'IN',
				),
			),
		);
		$bookingquery = new WP_Query( $bookingargs );

As mentioned, with the Access plugin set to prevent read access to the fulfillment post type for guests, this query returns no results while with read access for guests turned on it returns the expected results.

[Minesh Supporter Languages: Anglais (English ) Timezone: Asia/Kolkata (GMT+05:30)]

Ok thanks for sharing that code but from where your run this code?
- from CRON job php file?
- WordPress plugin/theme's functions.php file?

which action do you perform to run the code you shared with us?

[grantD]

This code runs within a custom WordPress plugin that runs using the WordPress Cron System every hour.

[Minesh Supporter Languages: Anglais (English ) Timezone: Asia/Kolkata (GMT+05:30)]

Ok fine.

Frist - Create a new user with ADMIN rights. For example, a new user with username cronuser you should create with admin rights.

Add following code just before you fire your query - so it looks like as given under:

/* Start - Code from Toolset */
$username = "cronuser"; // administrator role user (admin or create specific administrator user)
$user = get_user_by('login', $username );

if ( !is_wp_error( $user ) ) {
    wp_clear_auth_cookie();
    wp_set_current_user ( $user->ID );
    wp_set_auth_cookie  ( $user->ID );
 }
/* End- Code from Toolset */

$bookingargs = array(
            'posts_per_page' => -1,
          'post_type'  => 'fulfillment',
          'fields'       => 'ids',
            'meta_query' => array(
                array(
                    'key'     => 'wpcf-booking-reference',
                    'value'   => $bookingIDs,
                    'compare' => 'IN',
                ),
            ),
        );
        $bookingquery = new WP_Query( $bookingargs );

I hope above solution will help you to resolve your issue.