Category restrictions doesn't work

Hello,

I have a site set up with Membership2. I have created three user roles; employees, developers and administrator. I have configured 'Menu Items' with this configuration where employees and developers are restricted to most of the menu items. This works flawlessly and hide this menu from the user roles.

However, when trying the same setup in 'Categories' the output isn't the same. I have a category list widget enabled on one of the pages for testing purposes.
Developers are given access restriction to three categories, and if this is successful the tree view should confirm this. The tree view only shows the category 'uncategorized' to ALL users, even though different access restrictions are provided.

I also have other categories with 'everyone' access restrictions, they do not show in the category tree widget.

What am I doing wrong? I have granted support access.

Thank you.

  • Predrag Dubajic

    Hey Anders,

    Hope you're doing well today :slight_smile:

    I did some tests on both your site and my local installation, it seems that the issue is only happening with the widget itself, the categories and posts are still properly accessible to visitors.

    This is certainly not intended behaviour so I have created bug report for this issue and notified our developers about it.

    Thanks for bringing this up to our attention!

    Best regards,
    Predrag

  • Anders

    I also have one more question.

    Users (verified) are to create pages on this site. I have protected the categories as you may already have seen. I tested accessing an URL with an unregistered user, and the user is allowed to see the content.
    This is a huge security risk.

    I really hope I don't have to manually set permissions on every page? It'll be hours of work weekly.

    Bonus question:
    can a child category inherit its parents access restrictions? Do I have to configure access for every category created?

    Thanks

  • Dimitris

    Hey there Anders,

    hope you're doing good and don't mind chiming in!

    Would you have any estimates for when fixes are made available to the public? I'm in a semi-rush to get this site up and running

    Unfortunately we can't provide an ETA on bug fixes as our dev team is working on a variety of issues. As this bug has been reported through this thread though, you'll be the first to notify whenever I've got some update on this. :slight_smile:

    Users (verified) are to create pages on this site. I have protected the categories as you may already have seen. I tested accessing an URL with an unregistered user, and the user is allowed to see the content.
    This is a huge security risk.
    I really hope I don't have to manually set permissions on every page? It'll be hours of work weekly.

    Category protection rules are simply protecting the taxonomy archives pages, not single posts that have this taxonomy.
    You should use the "Individual Posts" addon to add them in membership levels.
    This can be done while posting a new article also, from the post edit screen.

    Bonus question:
    can a child category inherit its parents access restrictions? Do I have to configure access for every category created?

    Every category and sub-category should be setup one by one. There's no inheritance between them considering membership levels.

    Warm regards,
    Dimitris

  • Adam Czajczyk

    Hello Anders!

    As for the "category protection inheritance". There's a workaround that may work for you. There's a "URL Protection" add-on in Membership 2 Pro that you may want to activate so assuming there's a parent "Parent" category and "Child" sub-category and default URL's on your site would be like this

    yoursite.com/category/parent/child

    you could set URL protection to

    yoursite.com/category/parent

    Then all the "sub-urls", meaning the "yoursite.com/category/parent/child", would also be protected this way. That would still require setting up protection on post/page level to prevent users from accessing posts/pages directly but that'd be a "step forward".

    A supplemental workaround could be changing the permalink structure to include category name in a post address and then above protection should also automatically protect direct access to posts, however this may affect your site's SEO so you may have need to create new sitemaps and risk temporary "drops" in search engine listings. If this is a new site or a site underdevelopment though this may be worth considering.

    Finally, there's also another way to (as an alternative to changing permalinks) that could be used to "mass protect" posts: you could create a custom page template for selected category/categories and use M2 template tags (See "Membership 2 -> Help -> API Docs" in your dashboard) to implement protection.

    Best regards,
    Adam

  • Predrag Dubajic

    Hi Andres,

    URL protection will protect URL selected and sub URL's, however posts usually don't have category in their URL, unless permalinks are set differently.
    So as Adam mentioned above posts should be protected separately.

    As for URL protection, let's say you have two categories C1 and C2, and two memberships M1 and M2, if you protect C1 to M1 only M1 members will have access but if you protect C2 to M1 and M2 both will have access to it.

    Best regards,
    Predrag

  • Adam Czajczyk

    Hello Anders!

    I tried setting the custom permalink - /%category%/%postname%/. But it doesn't seem like this have any effect on the permalink structure of the site what-so-ever.

    You mean that the links on the site remained the same as they were, so instead of e.g. "yoursite/categoryname/posttitle" it's just a "yoursite/posttitle" link. Is that right?

    This should change after changing permalinks settings on "Settings -> Permalinks" page unless you are using some additional plugin that affects permalinks structure and/or cache is interfering. Please try clearing cache on site and see if that helps. If not, grant me please an access to the site again and I'll check it for your.

    Best regards,
    Adam

  • Adam Czajczyk

    Hello Anders!

    Thank you for letting me access your site. I checked it and noticed that the issue here is a bit different. We were referring to posts above while the content you are referring is contained by pages.

    By default WordPress pages are not categorized as opposite to posts. Permalinks settings wouldn't affect that. In fact, the "/%category%/%postname%/" settings does work on your site. You can check it for yourself by going to "Posts -> All posts" and clicking "View" link for any of the posts there.

    This however are posts. Your pages are categorized but that's only because of the "Add categories to pages" plugin that you are using and that's implementing its own way to handle it. Default WP Permalinks doesn't work here the way they work with posts. That's why you are not able to "see the changes".

    The way out of it would be either to move all that content to "Posts" instead of "Pages" while still keeping the current permalink settings or to get in touch with "Add categories to pages" plugin developer and ask whether something could be done about it on their end (I mean: to respect these permalinks settings).

    The alternative would be, as I mentioned before, creating custom page template and implementing page content protection inside template using "ms_has_membership()" template tag on template level. This way you could:

    - keep your URL protection as is (to protect archive listings)
    - keep your content as is (and avoid moving it)
    - protect page content as well without manually setting protection for each of the pages

    Here's more information about creating custom page templates:

    https://premium.wpmudev.org/blog/creating-custom-page-templates-in-wordpress/

    You will find description of "ms_has_membership()" template tag (template function) in your site's dashboard on "Membership 2 -> Help -> API Docs" page (the very first page that loads).

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.