Membership Plugin

Strangely there was no choice for the "Membership Premium" plugin which is what I need help with, so I picked the first of the related plugins that were there for the purposes of the required field.

I found a significant "hole" in the membership plugin. It does not protect the RSS feed, so anyone who knows a little about these things can easily side step the membership aspect and have complete and free access to all of the content by simply going into Google Reader and adding a subscription manually by using the full URL with "/feed" at the end. I have tried deleting some of the feed files and my site crashes :slight_frown:

Anyone know of any way to protect the RSS feeds?

  • Barry

    It does not protect the RSS feed, so anyone who knows a little about these things can easily side step the membership aspect and have complete and free access to all of the content by simply going into Google Reader and adding a subscription manually by using the full URL with "/feed" at the end. I have tried deleting some of the feed files and my site crashes :slight_frown:

    It certainly should do - each user / member has a unique key appended to their feed which restricts access to only their available content - if no key is present it should default to the stranger level - can you give us some details of your set up.

  • astUtemy

    It works when you are on the site so that if "strangers" click on a protected page they get a page that explains that the page they clicked on is for paid subscribers only, but I logged out of the site, confirmed that I did not have access to the page on the site and entered the RSS Feed URL into my browser and had access to the posts. Initially it was only the unprotected feeds that show up, but when I went back to my google reader I was able to see all posts in their entirety and had access to all of the content. You can see the site here: Accounting For Real Estate There are really only 2 levels of access (stranger and member). Strangers have access to SOME content, while members of course have access to everything.

    In the meantime I changed the RSS link on the site (my theme includes it by default and I haven't figured out how to remove it yet) so that it re-directs you to the home page and now if you enter the feed URL into your browser you will get an error page because I did delete some of the feed files, but then as a final test I went back to Google reader and added the subscription manually (ie directly in Google Reader as a new subscription using the feed URL and once again all of the posts showed up (protected and not) in their entirety. Some of the posts have images linked to download files and I was able to click them right in my reader to download the file, even though I was logged out of the site at the time.

  • Barry

    If you are logged in, or visiting as a stranger - what does the RSS feed url look like?

    Can you view the source and let me know? It should look something like:

    http://site.com/feed/?k=alongbitofrandomtexthere

    Initially it was only the unprotected feeds that show up, but when I went back to my google reader I was able to see all posts in their entirety and had access to all of the content.

    Was your sites content visible to google before the protection was turned on? Sometimes Google reader caches the feed and it takes a few updates for it to "forget" old content.

    I've viewed the feed with the standard /feed url on my browser - there are 5 articles listed in it do you have more than that in your view? Google reader view?

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.