Wordpress Private/Public Posts Security.

2
votes

I have a quick question to ask.

I've setup a wordpress site with custom theme that has the functionality to set posts "Private/Public" where as you can guess all post marked as private can only be seen by users who are logged in, and public everyone can see.

How I accomplished this was using a custom field "access" and each post can set this custom field to private or public in the edit post screen. Then to display these posts I run a custom loop query with a "is_user_logged_in()" conditional statement. It that statement is true I include all posts with the "access" fields set to both "private/public" and if the statement fails ie the user is not logged in only include posts with "access" set to public. I have used similar loop queries for all single page loops etc.

Now while this works a treat I have concerns over how secure this approach is. Thats were your help comes in. How secure do you think this is? Would it be easy to trick the loop into displaying private post to a user thats not logged in? Can you reccommed a better more secure way of handling private/public posts that can be set by a select number of users on the backend?

ideas much appreciated.

Rob.

1
wordpresssecurityadminprivate
I am sorry , but I do not understand why you would need a special custom theme with this functionality. What you are describing is the default behavior of wordpress ? or did I understood wrong ? codex.wordpress.org/Content_Visibility - Obmerk Kronen
I have tried using wordpress private post function but i couldn't get the private posts to show up on the frontend for logged in users who have access they could see the post on the backend but no the looped posts on homepage etc.? Is there anyway to allow a user group say "subscribers" to be able to see the private posts on the frontend when logged in and not when not logged in? - invamped

1 Answers

1
votes

maybe I understood all wrong , but -

What You describe is just like the wordpress Default behavior for private posts .

Hence , I do not really understand wh you need a custom field for that .

Custom Fields have the habit of being [ab]used for everything, even if not needed :-)

That being said ,you can use the post_status() function to check for your status 

   if ( get_post_status ( $ID ) == 'private' )
   {
     // this is  'private';
   }
   else
   {
     // this is public 'public';
   }

So you could use 

get_post_status ( get_the_ID() )

or if you want to put it at the head of the loop after the the_post() part: 

if( get_post_status()=='private' ) continue;

you could wrap it also with is_user_logged_in() if you want .

Point is , there is already a default place in wordpress where "private" is defined . so there is no need to define it elsewhere ( like custom field ).

You can even create your own custom post status with register_post_status() ..

the best way IMHO however , is to filter all the posts on the posts_where

add_filter('posts_where', ' privates_control');

function privates_control($where) {
    if( is_admin() ) return $where;

    global $wpdb;
    return " $where AND {$wpdb->posts}.post_status != 'private' "; // or add your custom status
}

This function simply mofifies the query using the posts_where filter. Codex Link You can modify it to your needs (add / remove conditions / user levels / user control