Users can still ask questions even if not permitted & url is known

Version used: 1.1.8

I've got the permissions set as only administrators can ask questions, but even with the most recent update, I can still go to the ask a question url and it still permits subscriber users to add questions.

What I would expect:
permissions that are not allowed would refresh to the root page, or display an error message

Example url where problem occurs
http://babyworld.co.uk/questions/test-question/

  • A media company

    If you go to http://babyworld.co.uk/questions/ask/ (as some people have seemed to have found, despite the link not being there), you get the form. This does not matter if you're logged in/not.

    I know it's not the intended use of the plugin, but an option to block levels of users from asking a question is good, and I expect it showing up only if it's allowed. It appears that it setting the options as I have means that the links to the form disappear, but not the actual form.

    I would be expecting the following change:
    1) an option to have the form show *only* for logged in users
    2) assuming (1) is implemented, the form is only accessibly if you have permissions (the form checks that the permissions are correct) and either displays an error message (customisable, please)

    A separate issue: to whom does the notification email go to? I can't see a means to customise it as I may want to do that as well, and others may want only someone other than the ?admin? answering the questions

  • A media company

    The update does not appear to have solved the following, which are still outstanding
    1) I would like to stop non-logged in users from being able to access the ask question form
    2) If users are not permitted to, they should not be able to access the ask a question form

    I'm coming from the view that we should be able to modify the behaviour of non-logged in users as well as deny access to certain pages based on the permissions. Removing the links from the navigation helps, but if the url is known, it won't stop people/spiders

  • A media company

    Odd. I've not got visitors in my listing of users (using wordpress 3.2.x) Will that be fixed with an upgrade to Wordpress 3.3? I can't instantly upgrade as I rely on a lot of plugins I need to check are compatible.

    I am definitely using QA 1.1.9

    Regarding getting the urls, I think Google found them (use the following search in google - "site:babyworld.co.uk ask question")

    That means that the forms are not actively denied, which I would expect

  • Kimberly

    Ah, my apologies, my Visitor is a Custom User role.

    Your first line of access would have to be Subscriber then.

    Allowing one user role to edit/access does not automatically create a negative rule to deny access for the user roles below it. You will need to set each separately.

    I just tried to post a question directly from the ask url and was brought directly to a login/register screen when I tried to submit. This is the intended behavior of the plugin.

    Have you recently tested to see? :slight_smile:

    Best,

    Kimberly

  • A media company

    I understand how that works.

    However, when I am a subscriber level with only view question permissions, I can still ask a question provided I know the url to the ask question form in the first place. This will then get added to the database.

    It is at that point (the visibility of the form and the saving of the data) where the explicit denial should be in place, but it is not. Given I have not got permissions for a user asking a question, the saving should not work.

    My request was that I could add options for non-logged in visitors (other user roles) by default rather than needing to define them elsewhere. Then as extra the user roles are added (like you've done, or in the plugin ordinarily), it will actively check for permissions before allowing something.

  • A media company

    Actually I did this because I realised it was a really easy change. I essentially check for permissions to ask a question and then display an error message if not.

    Can this be incorporated into the core code of the plugin? I realise a little more work is needed to make the error message localised/editable via the admin, but it's essentially there in my opinion

    function: the_question_form()
    qa/core/template-tags.php (line 346)

    global $user_ID;
    	// check permissions to ask a question
    	if ($user_ID == 0 || !current_user_can( 'publish_questions', 0 )) {
    		$type = 'archive';
    
    		$link = _qa_html( 'a', array( 'href' => qa_get_url( $type ) ),
    				'have a look at our questions and answers'
    		);
    
    		echo "<h1>You don't have permissions to ask questions</h1>
    		<p>Please ".$link." </p>";
    
    		// don't show the rest of the form
    		return;
    	}

    That's all that's needed, and solves it for me, but I'm not marking it as resolved as I think it's good functionality which needs incorporating into the code otherwise unexpected results occur despite permissions being set.

  • aecnu

    Greetings A media company,

    Thank you for the snippet of code you included, it is greatly appreciated.

    I will certainly bring it to the lead developers attention for him to decide if it is to be included.

    That's all that's needed, and solves it for me, but I'm not marking it as resolved as I think it's good functionality which needs incorporating into the code otherwise unexpected results occur despite permissions being set.

    The above statement I found kind of ludicrous considering that the hundreds of bug fixes in WordPress 3.2.X does not concern you enough to upgrade to WordPress 3.3.2 and considering WordPress 3.4 is due out next week with even more fixes and changes. Go figure.

    I will be sure to alert the lead developer of your code snippet.

    Cheers, Joe

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.