Privacy protections added in 3.7.0 break direct shortcode calls

eigood
(@eigood)

1 year, 10 months ago

I have a page-template on my site, that calls do_shortcode([insert_page]). It does this before *any* post has been loaded. The security checks added in 3.7.0 then try to fetch the $parent_post_author_id, which comes back as 0. The user_can call then fails, and $can_read is set to false. This is because there is no active post yet, to check against.

My suggestion is to not check security at all if there is no current global post.

ps: This was added to svn on revision 2614442.

Viewing 7 replies - 1 through 7 (of 7 total)

Thread Starter eigood
(@eigood)

1 year, 10 months ago
```
diff --git a/www/wp-content/plugins/insert-pages/insert-pages.php b/www/wp-content/plugins/insert-pages/insert-pages.php
index b462d24c..9412e583 100644
--- a/www/wp-content/plugins/insert-pages/insert-pages.php
+++ b/www/wp-content/plugins/insert-pages/insert-pages.php
@@ -746,7 +746,7 @@ if ( ! class_exists( 'InsertPagesPlugin' ) ) {
                                if ( have_posts() ) {
                                        $can_read = true;
                                        $parent_post_author_id = intval( get_the_author_meta( 'ID' ) );
-                                       foreach ( $posts as $post ) {
+                                       if ($parent_post_author_id) foreach ( $posts as $post ) {
                                                $post_type = get_post_type_object( $post->post_type );
                                                if ( ! user_can( $parent_post_author_id, $post_type->cap->read_post, $post->ID ) ) {
                                                        $can_read = false;
```
`
- This reply was modified 1 year, 10 months ago by eigood.
Plugin Author Paul Ryan
(@figureone)

1 year, 10 months ago

Can you try switching to the “Normal” insert method instead of “Legacy” in Insert Pages Settings? The Legacy method has other issues so we’re not actively updating it.

The relevant block for the Normal insert method is here:
https://github.com/uhm-coe/insert-pages/blob/master/insert-pages.php#L426-L433

I think this should work because that code block only fires if the inserted page is not a published page.

Thread Starter eigood
(@eigood)

1 year, 9 months ago

wpip_insert_method=”normal” works, but can’t users themselves set that parameter inside post content areas?

Thread Starter eigood
(@eigood)

1 year, 9 months ago

I take it back, that does *not* work.

Thread Starter eigood
(@eigood)

1 year, 9 months ago

That’s got it; it wasn’t clear that your suggestion was to update in the global settings area, instead of just setting a new option on the shortcode itself.

Thread Starter eigood
(@eigood)

1 year, 9 months ago

So, yeah no. If I switch to “normal” mode, then when I do page=”/path/_nav”, I actually get a re-insertion of the *current* page I’m looking at. If I stay with “legacy”. and use my patch, I actually get the referenced page. So normal mode doesn’t look at given page attribute at all.

Looking further at the code, line 426 contains the same security check as mentioned previously, but in this case, it happens *above* the wpip_insert_method condition.

Plugin Author Paul Ryan
(@figureone)

1 year, 9 months ago

Can you provide more details? This works fine in our testing (inserting a random page via do_shortcode() in a theme template file outside the main WordPress loop, a.k.a. “The Loop”).

You can also try the latest version, it includes a tweak to the Legacy insert method to only check the parent post author capabilities if the post being inserted is not published.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Privacy protections added in 3.7.0 break direct shortcode calls’ is closed to new replies.