Permission for specific roles to see other user profiles

@PC was helping me with this issue on Live Chat this morning, and I am moving over to the Support Forum.

I have a question about membership permissions for some roles. I have my website setup to allow a specific type of membership access levels/roles to view the profile of other access levels/roles for support purposes. I call it the Support role.

The profile structure in my site could either be http://www.example.com/profile/ID or http://www.example.com/profile/USERNAME

I am concerned for the access levels/roles that should NOT could play with the URL and guess the ID number or Username of another user and enter it into the end of the URL and see that user's profile.

Is there anything I can do with positive rules, negative rules, or URL groups, or anything else in the Membership plugin that could allow users of specific access levels/role to NOT see other user profiles, and if they were to play with the URL to try to guess another user's ID or username they would be directed to a "this content is protected" page if they did?

So I want one level to have access to all of them and others not to have access to any of them.

I was thinking about using URL Groups with Regular Expressions. However, my problem is that when users login, they go to their permalink profile automatically, which is either be http://www.example.com/profile/ID or http://www.example.com/profile/USERNAME

So if I protect the http://www.example.com/profile/ URL using Regex, it would disable all access to profiles by other users, which means that specific Support role would not be able to see other users' profiles.

Is there any way around this? Or am I out of luck?

Many thanks!

  • aristath

    Hello there @Nick, I hope you're well today!

    You could create a new URL group and add the following rule inside it:
    http://www.example.com/profile/(.*)
    Then, make sure you enable the Regular Expression option on that URL group.

    After you create the URL group, you can add it as a negative or positive rule to your access levels, depending on how you've set-up your levels.

    Then you'd have to do some custom coding....
    I remember there used to be a plugin that allowed you to change the URL of the current user's profile to profile/me.
    If you could find that plugin you could then add a 2nd URL group to allow access to that URL.
    However no matter how hard I looked I could no ind it (hopefully you'll have better luck than me) so I wrote some custom code that should do the trick for you.

    <?php
    
    function custom_redirect_on_profile_urls() {
        // Get the current user.
        // For documentation see http://codex.wordpress.org/Function_Reference/wp_get_current_user
        $current_user = wp_get_current_user();
        $current_user_username = $current_user->user_login;
        $current_user_id       = $current_user->ID;
    
        // Get the current URL
        // For documentation see http://www.php.net/manual/en/reserved.variables.server.php
        $current_url = $_SERVER['PHP_SELF'];
    
        // If the URL is that of the current user's profile, define a different BP_XPROFILE_SLUG and redirect there.
        if ( custom_endsWith( $current_url, '/profile/' . $current_user_id ) || custom_endsWith( $current_url, '/profile/' . $current_user_id . '/' ) || custom_endsWith( $current_url, '/profile/' . $current_user_username ) || custom_endsWith( $current_url, '/profile/' . $current_user_username . '/' )) {
            define( 'BP_XPROFILE_SLUG', 'my-profile' );
            wp_redirect( home_url() . '/my-profile/' . $current_user_id );
        }
    }
    add_action( 'setup_theme', 'custom_redirect_on_profile_urls' );
    
    // Function derived from http://stackoverflow.com/a/834355
    function custom_endsWith( $haystack, $needle ) {
        $length = strlen( $needle );
        if ( $length == 0 ) {
            return true;
    
        return ( substr( $haystack, -$length ) === $needle );
    }

    What this basically does, is check the URL that has been requested.
    If the URL ends with /profile/USERNAME or /profile/ID and the USERNAME or ID are those of the current user, it then defines the BP_XPROFILE_SLUG constant to "my-profile" instead of the default "profile" and redirects the user there.
    Since the new URL does not end with /profile/.... it will then bypass the regex check.

    I have NOT tested this and could potentially do more harm than goo, but you have nothing to lose by trying it out.
    If it doesn't work then simply delete it and you should be ok. :slight_smile:

    I hope that helps!

    Cheers,
    Ari.

  • aristath

    Just one question...where do I put this code? In some PHP file?

    You could create a new php file in your wp-content/mu-plugins folder.
    If that folder does not exist, you can manually create it yourself.
    Just create a new file called my-customizations.php (or anything else you prefer as long as it ends with .php) and copy-paste the above code inside it.

    This will make this file load before all other plugins. :slight_smile:

    I hope that helps!

    Cheers,
    Ari.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.