How to hide private pages from AnsPress users?
This is not exactly issue of AnsPress, but I believe it affects every AnsPress user, me included.
In frontend editor, when user logged in as AnsPress Participant, there is “insert a link” button. This button is fine, I want to allow users to insert links (it must be rel=nofollow links by default! but that’s another story)
When user press “add link” he see default wordpress insert link interface, where it’s possible to choose any existing page or post. I don’t want that. There are many “hidden” pages, technical pages. “Newsletter subscription complete” etc. This is not a page person should know of. This default interface should be replaced with something that is not showing all pages. He is just AnsPress Participant, he should not see all site internals.
What would be an easy way to achieve it?
(you probably want to have it in AnsPress by default)
This is actually concerning. Even after we somehow remove “list of all pages” from frontend UI, ways I thought of it by now are just JS-based. Meaning a real hacker would have no problem querying all available pages anyway.
I’ve looked into permissions of “AnsPress Participant”, and it’s 0 default WP permissions, just the ap_ ones. Is there maybe a way to limit listing all pages on level of permissions?
Are you logged in as admin? try as a participants or registered user. I will check in free time.
On a screenshot I’m logged in as AnsPress Participant. Account made with WSL. (wordpress social login)
When I’m logged in as Admin, I even get my additional buttons from extensions in that frontend editor. Good thing they are not present for AnsPress Participant.
Temporary fixed this issue with this code:
add_filter(‘mce_buttons’, ‘d_tinymce_change_buttons’, 9000);
function d_tinymce_change_buttons($buttons) {
// Change nothing if current user has admin (?not sure) rights.
if (current_user_can(‘manage_options’)) {
return $buttons;
}
$added = array(
);
$removed = array(
‘link’
,’unlink’
,’formatselect’
,’subscript’
,’superscript’
,’table’
,’charmap’
);
return array_diff(array_merge($buttons, $added), $removed);
}
@Rahul, please enable answering our own questions, this is something common for a developer to contribute on a topic.
@Dima, where exactly did you add this code please? And did it work? Really something that must be disabled! Gives any user the full rights to your entire pages/posts! Thanks.
@Dima…your code works (hiding the existing links until one clicks it to link to existing) but I still think that’s still risky because, of course, trying to link to an existing page is not a skill for simple web surfers…so it still poses danger to site administrators. @Chema…I don’t seem to get your idea of hiding this thing. Please re-post here (like Dima) the working code so we can try and understand your angle! Thanks.
I found the same problem, and also hid the link button. To allow users to include links, plus I included this snippet:
add_filter ('the_content' 'make_clickable');This currently enables users to include a link by typing http: //, or pasting the link on a word. In my case, I do not want users to access any internal page.
And to prevent spam, external links are “no follow”:
add_filter('the_content', 'my_nofollow');
add_filter('the_excerpt', 'my_nofollow');
function my_nofollow($content) {
return preg_replace_callback('/<a[^>]+/', 'my_nofollow_callback', $content);
}
function my_nofollow_callback($matches) {
$link = $matches[0];
$site_link = get_bloginfo('url');
if (strpos($link, 'rel') === false) {
$link = preg_replace("%(href=\S(?!$site_link))%i", 'rel="nofollow external" $1', $link);
} elseif (preg_match("%href=\S(?!$site_link)%i", $link)) {
$link = preg_replace('/rel=\S(?!nofollow)\S*/i', 'rel="nofollow external"', $link);
}
return $link;Greetings to you all.
@Chema…your code shows fatal error….don’t know if I’m missing something. What I did is I just copied the coded as is here from “add_filter(‘the_content’, ‘my_nofollow’);” down to the end…to line 17 and it showed fatal error. That means not working. I copied again from “add_filter (‘the_content’ ‘make_clickable’);” down again to line 17…still fatal error…what am I missing? I am using My Custom Functions plugin for code snippet pasting. Tried Dima’s suggestion of ‘Code Snippet’ very nice, but I couldn’t work with it. All codes I pasted there didn’t work at. So…currently I’m held up at this point in using Anspress…really want the ‘Insert Link’ button to be completely removed or disabled, not only to ‘hide’ it.
@Dima…tried your code first time the other day, it worked! But not working now….don’t know if a line has been removed from it or something. What I did was to just copy the entire code as you have entered it here and paste on my “My Custom Functions” plugin and it didn’t work! Please step in! Thanks.
Tried installing “TinyMCE Advanced”, there is an option to replace link interface with another one. It indeed replaced interface to something not as neat for user, but it doesn’t have secret pages listed.
Problem with it is it replaces link interface for whole wordpress installation, and I want old interface for admin.
Looks like technically it somehow should be possible, “if role(“admin”) do_whatever_tinymceadvanced_did_for_whole_site()”
This pseudocode would even keep old interface for admin’s frontend, it would be useful.