Multisite Users gain access to other users sites

I am using ProSites to sell websites to clients and I am letting clients activate WooCommerce inside their sites. I noticed that if one client or his subscribers go to another clients site or my own, they somehow gain access to the store. This is a big issue as clients should not get access to other clients sites. I installed the plugin per site basis, not network activated it.

how do I fix this?

  • webatonic1
    • Site Builder, Child of Zeus

    Hiya,

    "I installed the plugin per site basis, not network activated it" - referring to WooCommerce.

    Its just WooCommerce customers can login into any child site, their credentials are the same and shared amongst all the sites in the network :slight_frown:

  • tryst
    • WPMU DEV Initiate

    Ah,

    That makes a lot more sense now - thanks for clearing that up. I thought I hadn't understood you correctly.

    So, if I understand this correcly, they able to get into the backend of WooCommerce on other child sites?

    Trystan

  • webatonic1
    • Site Builder, Child of Zeus

    they cant access the admin dashboard, but have their account translate as active in the frontend of the site, "My Account" , they are logged into WooCommerce automatically.

    They are not listed as a "Customer" user in the admin, but can login into the WooCommerce shop in the front end...wierd

  • PC
    • WPMU DEV Initiate

    Hey there,

    Its just WooCommerce customers can login into any child site, their credentials are the same and shared amongst all the sites in the network :slight_frown:

    That is how WordPress Multisite works. The accounts are created on the network level and the users are able to move from site to site.

    As I suggested if you use a user management plugin, you can define that a new user should not get a default role on the main site. That ways they would not be able to get access to other sites (with a subscriber account)

    Cheers, PC

  • joeri1977
    • Flash Drive

    Hi there,

    I am having the same problem and the plugin http://wordpress.org/plugins/multisite-user-management/ doesn't work for me. Maybe because this plugin isn't working with the latest WP version, but I was hoping that there is another solution to this.

    I don't want users on a specific site for example. mysite.com/my-sub-site to be able to visit mysite.com and get access to all that content as well. I am using the plugins, Membership, theme-my-login and cloner to duplicate a site.

    Regards,
    Joeri.

  • joeri1977
    • Flash Drive

    Hi Trystan,

    Yes you are right, and I have read the description too quickly, but my idea was to use this plugin together with the plugin User Role Editor.

    So with the user role editor I created some new roles and assigned these different roles to different sub sites with the multisite-user-management plugin.

    For every new created user role, within the User Rol Editor plugin, I have set the access to NONE. So user role 1 is set to site 1 and has no access to site 2. Unfortunately this doesn't work.

    Regards,
    Joeri.

  • joeri1977
    • Flash Drive

    I didn't know this plugin was available on wpmudev, Multisite privacy, and this option is exactly what I am looking for: Only allow a registered user to see a site for which they are registered to.

    The only problem here is that when I set this option a user isn't able the register himself through the frontend, because the whole site is blocked.

    Any ideas??

    Regards,
    Joeri.

  • aristath
    • Recruit

    Hello there @joeri1977, I hope you're well today!

    Could you please grant me access to your backend so that I may see exactly what is happening?
    To do so, from your dashboard go to WPMUDEV => Support => Support Access and click on the "Grant access" button.

    Cheers,
    Ari.

  • joeri1977
    • Flash Drive

    Hi there Ari,

    Sure I would grant you access, although I have to say that the website is Live since monday, but what is it exactly that you want to look at? Do you think that the Multisite Privacy plugin should not block front-end visiting if users are not logged in?

    Regards,
    Joeri

  • aristath
    • Recruit

    Hello again @joeri1977,

    I just needed to check all settings, both from the network-admin dashboard as well as the individual site.
    Checking these myself simply saves time going back and forth in the forums asking for more details and screenshots, that's all. :slight_smile:
    It's easier to understand and resolve an issue if we see it first-hand.

    If you grant us access to your dashboard then please reply on this thread so that we get notified and check this for you.

    Cheers,
    Ari.

  • aristath
    • Recruit

    Hello again @joeri1977,

    I am sorry, maybe I am overlooking the option, but I can't find the 'Grant Access' Button.

    My mistake... I should have posted the instructions. :slight_smile:
    from your dashboard go to WPMUDEV => Support => Support Access and click on the "Grant access" button.

    Cheers,
    Ari.

  • aristath
    • Recruit

    Hello again @joeri1977, I hope you're well today!

    It's just that I can't find it / don't see the "Grant access" button if I follow your instructions.

    Do you have the WPMUDEV Dashboard plugin installed on your site?
    You'll have to have that plugin installed, activated, and you must enter your WPMUDEV credentials in that plugin's screen when you first activate it.

    I hope that helps!

    Cheers,
    Ari.

  • joeri1977
    • Flash Drive

    Hello Ari,

    Sorry for not replying any more. The website was (is) live and there where no troubles, at least until now. There are some users who are logging in on other multisites, but they shouldn't have access to others sites. Only the multisite that they are registered on. The setting from the Multisite Privacy plugin: Only registered users of this blogs can have access - anyone found under Users > All Users can have access. , is giving a redirection error when trying to acces the site from the front-end.

    I can grant you access to the multisite to maybe look at the setting.

    Best regards,
    Joeri.

  • aristath
    • Recruit

    Hello again @joeri1977,

    Could you please grant us access to your backend so that we may see exactly what is happening?
    To do so, from your dashboard go to WPMUDEV => Support => Support Access and click on the "Grant access" button.

    Please note that you must have the WPMU DEV Dashboard plugin installed on your site to complete the above process.

    Please make sure all your plugins, themes, AND WordPress core are up-to-date before doing so.

    Cheers,
    Ari.

  • Bloggista
    • Design Lord, Child of Thor

    If you are using domain mapping, there's an option in Domain Mapping you can use to avoid the issue:

    Cross-domain autologin

    Would you like for your members to be logged into all sites within your network regardless of domain name:
    Yes
    No

    Regards.

  • joeri1977
    • Flash Drive

    Good day,

    @aristath, Hi Ari, I have granted access to the website. If you are going to test/try things, could you do it on the hair4u site of the multisite. Thanks.

    @Bloggista, thanks for the info. The site is not using domain mapping, but I didn't know this so it's good to know for future projects.

    Best regards.

  • joeri1977
    • Flash Drive

    Hi @aristath, I just found a solution for denying access to other multisites rather then the one that the user has been registered on. I use this (which I didn't know was possible):

    add_action( 'template_redirect', function() {
    
        if ( is_user_logged_in() && ! is_user_member_of_blog() )
            die( 'Please ask the network administrator to get access to this blog.' );
    });

    Only I changed this message so that it looks a little better and is more related to my multisite.

    No more need to look at the multisite settings anymore.

    Best regards,
    Joeri.

    • Jeffrey
      • Flash Drive

      @joeri1977 and all interestted:I have found that the only way for users not to have auto logged in status on sub blogs is to use Domain Mapping. Otherwise, users still have logged in access to everything on the sub blog. With Woocommerce their My Account page is populated and with Sensei they can see and take courses. Our site is educational so we want them to register and login before haveing access to courses.

      As far as I can tell we are going to have to use a Membership plugin to restrict access.

  • Jeffrey
    • Flash Drive

    Maybe this will help those looking for a solution to this:
    I found this function laying around in my code files from a long time ago. The working part for those who are registered on the network but not the subblog is ! is_user_member_of_blog()

    function sh_walled_garden()
    {
    global $bp;
    
     if( is_user_logged_in() && ! is_user_member_of_blog() && ! bp_is_blog_page() && ! bp_is_activation_page() && ! bp_is_register_page() && ! bp_is_blogs_component() ) {
            wp_redirect( home_url( '/register/' ) );
            exit();
        }
    }
    
    add_action( ‘bp_init’, ‘sh_walled_garden’ );

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.