Unrestricted Preview Access Not Applying to Instructor Assistant

nrherron92 commented 2 years ago

Reproduction Steps

HS-191732
Create a user with the role instructor assistant
Make sure that role is added to unrestricted preview
Add them to a course that has drip content that a normal student should not be able to access
Try to access the locked content

Expected Behavior

With the unrestricted preview they should be able to get around any prerequisites and drip locks

Actual Behavior

The instructor assistant is unable to bypass the drip lock

Error Messages / Logs

Include any relevant error messages or log files


<!-- Paste error logs / backtraces below this line -->


### System and Environment Information

<details>
<summary>System Report</summary>

<!-- Paste your System Report between the three backticks below this line -->

System Report

Wordpress

Home Url: [removed] Site Url: [removed] Login Url: [removed]/wp-login.php Version: 5.9.3 Debug Mode: No Debug Log: No Debug Display: Yes Locale: en_US Multisite: No Page For Posts: Not Set Page On Front: Student Dashboard (#1654) [[removed]/] Permalink Structure: /%postname%/ Show On Front: page Wp Cron: Yes

Settings

Version: 5.10.0 Db Version: 5.10.0 Course Catalog: Course Catalog (#9) [[removed]/courses/] Membership Catalog: Membership Catalog (#10) [[removed]/memberships/] Student Dashboard: Student Dashboard (#12) [[removed]/my-courses/] Checkout Page: Purchase (#11) [[removed]/purchase/] Course Catalog Per Page: 9 Course Catalog Sorting: menu_order,ASC Membership Catalog Per Page: 9 Membership Catalog Sorting: menu_order Site Membership: Not Set Courses Endpoint: my-courses Edit Endpoint: edit-account Lost Password Endpoint: lost-password Vouchers Endpoint: redeem-voucher Autogenerate Username: yes Password Strength Meter: no Minimum Password Strength: weak Terms Required: no Terms Page: Not Set Checkout Names: required Checkout Address: required Checkout Phone: hidden Checkout Email Confirmation: yes Open Registration: no Registration Names: required Registration Address: hidden Registration Phone: hidden Registration Voucher: required Registration Email Confirmation: yes Account Names: required Account Address: optional Account Phone: hidden Account Email Confirmation: yes Confirmation Endpoint: confirm-payment Force Ssl Checkout: yes Country: US Currency: USD Currency Position: left Thousand Separator: , Decimal Separator: . Decimals: 2 Trim Zero Decimals: no Recurring Payments: yes Email From Address: [removed] Email From Name: [removed] Email Footer Text: Email Header Image: Cert Bg Width: 800 Cert Bg Height: 616 Cert Legacy Compat: no

Constants

LLMS_REMOVE_ALL_DATA: undefined LLMS_REST_DISABLE: undefined LLMS_SITE_FEATURE_RECURRING_PAYMENTS: undefined LLMS_SITE_IS_CLONE: undefined

Gateways

Stripe: Enabled Stripe Test Mode: Disabled Stripe Logging: no Stripe Order: 1 Manual: Disabled Manual Logging: no Manual Order: 1

Server

Mysql Version: 5.7.32 Php Curl: Yes Php Default Timezone: UTC Php Fsockopen: Yes Php Max Input Vars: 3000 Php Max Upload Size: 256 MB Php Memory Limit: 768M Php Post Max Size: 256M Php Soap: Yes Php Suhosin: No Php Time Limt: 120 Php Version: 7.4.29 Software: Apache Wp Memory Limit: 128M

Browser

HTTP USER AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Theme

Name: BuddyBoss Theme Version: 1.8.8 Themeuri: https://www.buddyboss.com/ Authoruri: https://www.buddyboss.com/ Template: Child Theme: No Llms Support: No

Plugins

Akismet Anti-Spam: 4.2.2 BuddyBoss Platform: 1.9.2 BuddyBoss Platform Pro: 1.2.0 Content Aware Sidebars: 3.16.1 Jetpack: 10.7 LifterLMS: 5.10.0 LifterLMS Advanced Quizzes: 2.0.1 LifterLMS Customizations: 1.0.0 LifterLMS Helper: 3.4.1 LifterLMS Stripe Payment Gateway: 5.4.0 PHP Compatibility Checker: 1.5.0 PublishPress Capabilities: 2.3.7 Scripts n Styles: 3.5.1 SVG Support: 2.3.18 Wordfence Security: 7.5.5 WP Mail Logging: 1.10.4 WP Mail SMTP: 3.3.0

Integrations

BbPress: Yes BuddyPress: Yes

Template Overrides

content-certificate.php (ver: 4.21.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 4.5.0) achievements/loop.php (ver: 3.14.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.14.0) achievements/template.php (ver: 3.14.6): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.14.6) certificates/loop.php (ver: 3.14.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.14.0) certificates/preview.php (ver: 3.14.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.14.0) course/author.php (ver: 4.11.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.25.0) course/lesson-preview.php (ver: 5.7.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 4.4.0) course/syllabus.php (ver: 4.4.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 4.4.0) loop/author.php (ver: 3.0.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.0.0) loop/content.php (ver: 3.14.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.14.0) loop/featured-image.php (ver: 3.35.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.35.0) myaccount/dashboard-section.php (ver: 3.30.1): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.30.1) myaccount/header.php (ver: 3.14.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.14.0) myaccount/my-grades-single-table.php (ver: 3.24.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.24.0) myaccount/my-notifications.php (ver: 3.30.3): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.30.3) myaccount/my-orders.php (ver: 3.17.6): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.17.6) myaccount/view-order.php (ver: 5.9.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.35.0) product/access-plan-pricing.php (ver: 3.29.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.29.0) quiz/results-attempt-questions-list.php (ver: 5.3.0): /home/customer/www/courses.jayfeldmanwellness.com/public_html/wp-content/themes/buddyboss-theme/lifterlms/ (ver: 3.17.8)



</details>

This issue has be recreated:
+ [x] Locally
+ [ ] On a staging site
+ [x] On a production website
+ [x] With only LifterLMS and a default theme

### Browser, Device, and Operating System Information

+ Browser name and version
+ Operating System name and version
+ Device name and version (if applicable)

eri-trabiccolo commented 2 years ago

@nrherron92 I can't reproduce this issue. You say:

Add them to a course that has drip content that a normal student should not be able to access

What do you mean with "add them to a course" as what? Instructors? Students?

1) As long as the assistant is also added as a course instructor they are able to bypass the restrictions. The same happens with instructors.

2) If they expect assistants not assigned to a course, of an instructor assigned to a course, to be able to bypass restrictions, I'd agree, and this doesn't happen because of the issue #2122

3) If the customer expects instructors and instructor assistants to bypass any restrictions of any courses they're not instructors of, well it's just not how it works. Mmm.

4) Reading the ticket, although, it seems that the customer expects that students enrolled into a course, if they also have the assistant role, they can bypass ONLY drip restrictions for the courses they're enrolled into. This is just something that in any case that option won't allow. That can achieved with some custom code using this filter: https://developer.lifterlms.com/reference/functions/llms_page_restricted/ with something like this: https://github.com/gocodebox/snippets/commit/3766cd78a1eaa9987b10b936608e29bfb55410d2

@thomasplevy: At the moment the users with the selected roles that will bypass enrollment, drip, and prerequisite restrictions for courses and memberships, must also be able to edit the content they mean to bypass the restriction for: https://github.com/gocodebox/lifterlms/blob/6.4.0/includes/functions/llms.functions.person.php#L45-L47

I think this makes sense, because ideally we don't want instructor of course A to be able to bypass restrictions of a course B.

Although since we don't really mention this constraint (edit cap) anywhere that I know, I wonder if we should add another option to allow this:

keep the existent option as it is, specifying the edit thing in the description
add another option to select roles who can bypass any restrictions without constraints: they basically can view everything, alternatively, we can add a filter to bypass the edit cap check.

thomasplevy commented 2 years ago

If we remove the edit requirement we'll re-introduce this bug: #1974 (Related fix #1987)

I can see the confusion here but I don't think this restriction doesn't make sense... If we allow these roles all to have blanket access (the way it worked prior to 5.9) we have a pretty big security issue here in the eyes of some folks. So we can't revert that behavior.

We could add an option to allow truly unrestricted access but at that point you really might as well just use a custom role... what's the point of a reduced access instructor who can also access other people's content?

keep the existent option as it is, specifying the edit thing in the description

This seems to be the best fix in my mind.

eri-trabiccolo commented 2 years ago

We could add an option to allow truly unrestricted access but at that point you really might as well just use a custom role... what's the point of a reduced access instructor who can also access other people's content?

Well... the idea was that you could grant view access to a role, without the need of granting edit access too, that the custom role would still need. But I see your point, description update makes sense. There are filters already available to tweak this behavior (see my code above).

So, summarizing: 1) this is the expected behavior 2) this behavior has been introduced in v5.9 to fix a bug (see Thomas' reply above) 3) we're going to update the option description with the constraint (nudge @nrherron92) 4) @nrherron92 you can relay the snippet above (https://github.com/gocodebox/snippets/blob/trunk/lifterlms/lifterlms-no-lesson-drip-for-specific-roles.php that will grant access to drip contents to assistants (for examples) enrolled into the course as students.

nrherron92 commented 2 years ago

@eri-trabiccolo on it! thank you

thomasplevy commented 2 years ago

@gocodebox/engineering moving this to TO DO alongside #2180 so we can put a stop to confusion here.

gocodebox / lifterlms