How to hide private pages from AnsPress users?

7.97K viewsWordPress
3

This is not exactly issue of AnsPress, but I believe it affects every AnsPress user, me included.

In frontend editor, when user logged in as AnsPress Participant, there is “insert a link” button. This button is fine, I want to allow users to insert links (it must be rel=nofollow links by default! but that’s another story)

When user press “add link” he see default wordpress insert link interface, where it’s possible to choose any existing page or post. I don’t want that. There are many “hidden” pages, technical pages. “Newsletter subscription complete” etc. This is not a page person should know of. This default interface should be replaced with something that is not showing all pages. He is just AnsPress Participant, he should not see all site internals.

What would be an easy way to achieve it?
(you probably want to have it in AnsPress by default)

Tried installing “TinyMCE Advanced”, there is an option to replace link interface with another one. It indeed replaced interface to something not as neat for user, but it doesn’t have secret pages listed.

Problem with it is it replaces link interface for whole wordpress installation, and I want old interface for admin.

Looks like technically it somehow should be possible, “if role(“admin”) do_whatever_tinymceadvanced_did_for_whole_site()”
This pseudocode would even keep old interface for admin’s frontend, it would be useful.

This is actually concerning. Even after we somehow remove “list of all pages” from frontend UI, ways I thought of it by now are just JS-based. Meaning a real hacker would have no problem querying all available pages anyway.

I’ve looked into permissions of “AnsPress Participant”, and it’s 0 default WP permissions, just the ap_ ones. Is there maybe a way to limit listing all pages on level of permissions?

Are you logged in as admin? try as a participants or registered user. I will check in free time.

On a screenshot I’m logged in as AnsPress Participant. Account made with WSL. (wordpress social login)

When I’m logged in as Admin, I even get my additional buttons from extensions in that frontend editor. Good thing they are not present for AnsPress Participant.

Temporary fixed this issue with this code:

add_filter(‘mce_buttons’, ‘d_tinymce_change_buttons’, 9000);
function d_tinymce_change_buttons($buttons) {
// Change nothing if current user has admin (?not sure) rights.
if (current_user_can(‘manage_options’)) {
return $buttons;
}

$added = array(
);
$removed = array(
‘link’
,’unlink’
,’formatselect’
,’subscript’
,’superscript’
,’table’
,’charmap’
);
return array_diff(array_merge($buttons, $added), $removed);
}

@Rahul, please enable answering our own questions, this is something common for a developer to contribute on a topic.

@Dima, where exactly did you add this code please? And did it work? Really something that must be disabled! Gives any user the full rights to your entire pages/posts! Thanks.

0

i also checked the above issue you have discussed, how to hide the pages from user’s ????

You are viewing 1 out of 3 answers, click here to view all answers.