Category/page protection not working

I granted support access.

I would like to know:

I just created a new membership called PREMIUM and want to protect posts/pages that way from users in other memberships so I was about testing it, created mydomain.org/premium-post and it was visible publicly.
So my specific question: we use WP-role: "GAIA-Mitglied" by default for our members. Now I raise anyone to WP-Rolle Author (without granting him access to this M2- PREMIUM Membership - he sees the posts there, why?
I did not even add anybody to this membership, but authors can access it?

  • Adam Czajczyk

    Hello Rob,

    I hope you're well today and thank you for your question!

    I tested the issue on both mine and your site. I have setup an additional membership and used it to protect post on my site. I didn't add any members to this membership. Then I have created a user with an Author role and tried to access that post and it was protected. I also replicated custom roles of GAIA-Autor and GAIA-Mitglied on my end with the same result.

    Actually, I expected that I won't be able to replicate the issue because Membership 2 Pro access protection does not rely on user roles. During the chat you mentioned that you're confused with "roles" and "memberships" so let me shed some light on this :slight_smile:

    User roles is a native WP mechanisms that are used to control what a registered user can/cannot do or access. It's mostly about the "actions" rather than content.

    The Membership 2 Pro plugin does not "care" about the roles (except admins, I'll get to it below). It simply associates the user account with "membership" (that doesn't have anyting to do with user role, it's just a "set of data") and then when particular content is served the plugin "takes over" and does this (it's simplified flow though):

    - identifies the user that accessed the content
    - checks if that user has any membership assigned and if yes, checks what membership that is
    - checks if the post is set to be protected with any membership and if yes, what membership that is
    - compares these two - membership assigned to user and membership assigned to pos
    - if they match, content is served; if not the user is given protection message.

    I hope that makes sense.

    Getting back to the issue. When I was checking that on your site, the /premium-post was returning "page not found" so I had to restore it from trash (temporarily, it's already back there) and using your user (that you shared on chat) I was able to see it.

    However, that user - if you search via "Membership 2 -> All members" page - is an admin user so that's not a good test. Admin-role users will always have access to everything and content access permissions for them cannot be handled by Membership 2 Pro.

    Therefore, I created myself a user account there, without adding it to any memberships, and assigned myself "Author" user-role and I was able to replicate that on your site (the same scenario doesn't work on my end). That leads me to the point that the "Author" user role must have been altered on your site so I checked capabilities in "Users -> User Role" settings and I noticed that "Author" role has "manage_options" capability assigned.

    That's the capability that's specific to "Admnistrator" role so granting it to "Author" makes all the users of "Author" role essentially makes these users "administrators" from Membership 2 point of view. That's why they do see these posts. I'm not sure actually if Autors should really have that capability enabled, unless it's necessary.

    Is there any specific reason why it's assigned to them?

    Kind regards,
    Adam

  • Rob

    Hi Adam,

    you brought light into the darkness on my end.. I don't see any reason, why "manage options" needs to be enabled on Authors role - so I turned it off. I understand, "manage options" is a heavy weighted option within WP and manages the door to the admin's backend.

    Based on the information you provided, I dive deeper into new memberships and surely will find suiting settings. happy you explained that goods.
    thx, Rob