WordPress Private/Public Posts Security.

4 Views

I have a quick question to ask.

I’ve setup a wordpress site with custom theme that has the functionality to set posts “Private/Public” where as you can guess all post marked as private can only be seen by users who are logged in, and public everyone can see.

Read More

How I accomplished this was using a custom field “access” and each post can set this custom field to private or public in the edit post screen. Then to display these posts I run a custom loop query with a “is_user_logged_in()” conditional statement. It that statement is true I include all posts with the “access” fields set to both “private/public” and if the statement fails ie the user is not logged in only include posts with “access” set to public. I have used similar loop queries for all single page loops etc.

Now while this works a treat I have concerns over how secure this approach is. Thats were your help comes in. How secure do you think this is? Would it be easy to trick the loop into displaying private post to a user thats not logged in? Can you reccommed a better more secure way of handling private/public posts that can be set by a select number of users on the backend?

ideas much appreciated.

Rob.

Post Views: 4

Related posts

Leave a Reply

1 comment

  1. maybe I understood all wrong , but –

    What You describe is just like the wordpress Default behavior for private posts .

    Hence , I do not really understand wh you need a custom field for that .

    Custom Fields have the habit of being [ab]used for everything, even if not needed 🙂

    That being said ,you can use the post_status() function to check for your status 

       if ( get_post_status ( $ID ) == 'private' )
   {
     // this is  'private';
   }
   else
   {
     // this is public 'public';
   }

    So you could use 

    get_post_status ( get_the_ID() )

    or if you want to put it at the head of the loop after the the_post() part: 

    if( get_post_status()=='private' ) continue;

    you could wrap it also with is_user_logged_in() if you want .

    Point is , there is already a default place in wordpress where “private” is defined . so there is no need to define it elsewhere ( like custom field ).

    You can even create your own custom post status with register_post_status() ..

    the best way IMHO however , is to filter all the posts on the posts_where

    add_filter('posts_where', ' privates_control');

function privates_control($where) {
    if( is_admin() ) return $where;

    global $wpdb;
    return " $where AND {$wpdb->posts}.post_status != 'private' "; // or add your custom status
}

    This function simply mofifies the query using the posts_where filter. Codex Link
    You can modify it to your needs (add / remove conditions / user levels / user control