search

soflyy / oxygen-bugs-and-features

Bug Reports & Feature Requests for Oxygen
https://oxygenbuilder.com/
314 stars 31 forks source link

Oxygen Bypasses Page Security "Password Protected". #1035

Open ejeaglesct opened 4 years ago

ejeaglesct commented 4 years ago

Describe the bug When a page is password protected but has an Oxygen template it bypasses the security and immediately loads the page.

Have you tried all the steps at https://oxygenbuilder.com/documentation/troubleshooting/troubleshooting-guide/? Yes

Are you able to replicate the issue on a Sandbox install at https://oxygenbuilder.com/try? Password protect a page, then load it with a template.

To Reproduce See notes above.

Expected behavior Prompts to enter password.

What actually happens Password protected content loads immediately.

Screenshots

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context Add any other context about the problem here.

KittenCodes commented 4 years ago

If you're using the built-in WordPress password protection then it's only possible to protect content added via the WordPress editor. You would be able to design the page with Oxygen, but any data that you want to be password protected would need to be added to the WordPress editor. You can then add that content to your Oxygen design using Dynamic Data: https://oxygenbuilder.com/documentation/templating/dynamic-data/.

Another option would be to find a plugin that allows you to protect your content, such as Passter: https://en-gb.wordpress.org/plugins/content-protector/. You can then use a Shortcode Wrapper element to add the Passster shortcode and move any elements that require protection into the Shortcode Wrapper.

harryfear commented 4 years ago

Just ran into this. A bit of a bummer.

Might be cool to just provide a password protection template that handles this issue. Then we can create a password input page template and that can be served instead of the locked page.

Cr3epy commented 3 years ago

Its a real thread to the system - this is something which should be included into the next version. This external plugin is simply bad and you have to fix all the CSS again - and usually it works only bad. Please bring an option to add this kind of pages its basic stuff. Thanks

diegoinsignia commented 3 years ago

Any solution to this case?

I was testing this tutorial

https://wpdevdesign.com/how-to-password-protect-entries-in-oxygen/

but it doesn't work well with created templates :(

zsoltmar commented 3 years ago

Yeah, this is a major flaw... please provide a proper solution

froglab-web commented 3 years ago

I found a workaround: it only works if you're using the Gutenberg plugin, but in my case it solved the problem (I had a CPT which used always the same template and was also populated via ACF).

This way the Oxygen editor is bypassed and I was able to password-protect my pages. The only drawback is I had to manually set my container div and its content to 100 vw (otherwise all the content is left-aligned) AND every time I have to create a new entry I have to drag my block on the page again.

avocadesign commented 3 years ago

Beaver Builder support gave me this lovely snippet for a beaver builder project using the post_password_required() function that works a treat. It filters the visibility on any row with the .password-protected class

// filter password protected content
add_filter( 'fl_builder_is_node_visible', function( $is_visible, $node ){
    global $post;

    if ( 'module' === $node->type && 'password-protected' === $node->settings->class ){
        if ( post_password_required( $post ) ){
            return false;
        }
    }

    return $is_visible;
}, 10, 2 );

That lead me to this lovely little dynamic condition:

if( function_exists('oxygen_vsb_register_condition') ) {

    oxygen_vsb_register_condition('Password Protected?', array('options'=>array(), 'custom'=>true), array('==', '!='), 'ex_condition_password_protected', 'Post');

    function ex_condition_password_protected($value, $operator) {
        global $post;

        $password_protected = post_password_required( $post );
        $value = intval($value);

        if ($operator == "==") {
            if ($password_protected == $value) {
            return true;
            } else {
            return false;
            }
        } else if ($operator == "!=") {
            if ($password_protected != $value) {
            return true;
            } else {
            return false;
            }
        }
    }

}

You do need to have the "content" included in the page as that is where the password field is shown. Need to just sort out my logic for the condition a bit more clearly but it does work in my testing.

ryangorley commented 3 years ago

@avocadesign Thank you for sharing this solution! Just a note from trying to use this is that it won't work when applied to a repeater element. One must wrap the repeater in a div and apply the condition to that wrapping element.

devlamconstructie commented 3 years ago

cool. I think the logic can be written more elegantly as:

if ($operator == "=="){ return $password_protected == $value; } else { return $password_protected != $value; } or (slightly less readable)

return ($operator == "==")? $password_protected == $value: $password_protected != $value;

harryfear commented 2 years ago

Just had a client waste hours trying to setup vanilla WP password protection, only to have to explain this is a known bug/limitation of Oxygen. Quite embarrassing.

The WP password option should be CSS-hidden by Oxygen or a warning should be visible for the end user to warn that Oxygen destructs this WP feature.

uhlhosting commented 2 years ago

Just had a client waste hours trying to setup vanilla WP password protection, only to have to explain this is a known bug/limitation of Oxygen. Quite embarrassing.

The WP password option should be CSS-hidden by Oxygen or a warning should be visible for the end user to warn that Oxygen destructs this WP feature.

Like a product built around WordPress, I see your point here. Oxygen Builder should not take out features, by oppose they should enhance.

I see this more a trade off, since you do not use the classical templating system, and clearly that allowed the use of password protected pages natively to work.

What Oxygen can do, is to add an easier {UX/UI} to mark posts as private, true! Yet we would have to rather be expressing our needs constructively.

I am positive someone on their end, can see people struggle with this feature by now.

mahmudsg commented 2 years ago

We have a million views per month site using Oxygen and now it is getting a big issue and hard to manage.

May we have a fix soon, please?

Mar1AK commented 1 year ago

+1 on this. Tried multiple password protection plugins and none work. Please have this fixed ASAP

zsoltmar commented 1 year ago

Still a pain

savkovic-crd commented 1 year ago

+1 on this from me too. Dear Lord help us all. If I knew how to fix this inside Oxygen source code, I'd do it myself for free.