How to block access by IP for cpt

yehudaTiram

HI, Just got the trial and starting to config a policy but it does not work for me.
I need to block access to certain cpt to all Ip's except one or two (the office ip). I also need to allow access to 3 users (admins) from any IP.
Do you have a sample policy that I can learn from?
Thanks

vasyl

yehudaTiram there are two possible ways: with the help of IP Check & Plus Package add-ons or properly defined Access Policy & Plus Package add-on.

Note! I'm under the assumption that you need to restrict access to your custom post types (CPT) for ALL the users and visitors, except only users that belong to the Administrator role.

Option 1. With AAM UI (IP Check & Plus Package add-ons are required).
Switch to manage default access settings to all users & roles. This way your access settings are going to be propagated to everybody.

If you have both add-ons properly installed when you go to the AAM page on the Posts & Terms tab select Gear button for your CPT. This will bring the default access settings form for all your CPTs. Select REFERENCE CHECK option and in the pop-up you would need to create a rule that blocks access to all IPs where "Equals" will be a mask ... (all IPs), then select Deny for When matched, allow or deny access to the post?. After that, just create two more rules with explicitly defined whitelisted IP addresses that Allow access.

The final step is to override access settings just for the Administrator role. Simply switch to manage Administrator role and on the Post & Terms tab, for your CPT, uncheck the REFERENCE CHECK option.

Note! You can override access settings also for any individual user if necessary.

Option 1. With Access Policy (Plus Package add-on is required).
Go to the Access Policies tab and create a new policy. Then copy & past the following access policy:

{
    "Version": "1.0.0",
    "Dependency": {
        "wordpress": ">=5.3",
        "advanced-access-manager": ">=6.0.5",
        "aam-plus-package": ">=5.0.3"
    },
    "Statement": [
        {
            "Effect": "deny",
            "Resource": "PostType:page:posts",
            "Action": [
                "Read",
                "List",
                "Edit",
                "Delete"
            ],
            "Condition": {
                "NotIn": {
                    "${USER.ip}": [
                        "0.0.0.0",
                        "1.1.1.1"
                    ],
                    "administrator": "(*array)${USER.roles}"
                }
            }
        }
    ]
}

Replace PostType:page:posts with your CPT slug (e.g. PostType:document:posts or PostType:houses:posts) and IPs 0.0.0.0, 1.1.1.1 with your desired IPs. If more IP addresses is needed, just add them as comma-separated list.

The policy above hides all CPTs and restricts access to read, edit or delete them.

The final step is to attach this policy to everybody. Switch to manage default access settings to all users & roles. Then on the Access Policies tab select the policy.

Note! While writing this post, I've noted a bug where there is no way to attach the policy to Default on "Access Policy Assignee" metabox. This is something we going to fix in the next release 6.1.0.

Hopefully, this is helpful.

Thank you,
Vasyl

yehudaTiram

Thank you Vasyl,

While trying to apply your suggestions I get an error when trying to access the site backend:

( Started when I was trying to reset settings in the AAM DASHBOARD)

If I disable the AAM plugin in ftp (changed its folder name), the site is back, but renaming again show the same error.

Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 262144 bytes) in /wp-content/plugins/advanced-access-manager/application/Core/Policy/Manager.php on line 480

Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 262144 bytes) in Unknown on line 0

vasyl

yehudaTiram please let me know what AAM version you have as well as Plus Package version.

yehudaTiram

Advanced Access Manager Version 6.0.5
AAM Plus Package Version 5.0.3

For some reason I do not get a mail notification when there's an answer.

vasyl

yehudaTiram oh, check your junk or spam folder. Maybe it'll there. This forum uses AWS email server for email delivery, so I'm almost confident that it works pretty well.

Ok. So from my recent experience with this type of issue, most likely you have some other plugin that may brutally override WP_Query options and causes infinite loop. The last know plugin was "Post Types Order".

Can you please do me a favor and try to deactivate each plugin one-by-one to find out which one causes this issue. This way I can try to find the true cause of this conflict.

yehudaTiram

Sorry, but no, there's no other plugin or theme that cause this.

I disabled them all one-by-one and moved to core theme and activating AAM still caused the same issue.

I just completely deleted both AAM and AAM Plus and reinstalled them and things are back to order.

I'll check your reply to my original question and will let you know.

yehudaTiram

Hi,
I've implemented the policy.
It partially works and I hope you can assist in understanding the issue here.
The policy restrict all, including admin from the post type tour_activity.
Only if I add the admin IP ( obviously ) to the allowed IPs he can see it.

I am not sure why that works like that if the condition is like you suggested.

The code is:

{
            "Effect": "deny",
            "Resource": "PostType:tour_activity:posts",
            "Action": [
                "Read",
                "List",
                "Edit",
                "Delete"
            ],
            "Condition": {
                "NotIn": {
                    "${USER.ip}": [
                        "0.0.0.0",
                        "1.1.1.1"
                    ],
                    "administrator": "(*array)${USER.roles}"
                }
            }
  
}

vasyl

yehudaTiram the condition literally is converted to the following statement: if a user does not come from 0.0.0.0 OR 1.1.1.1 IP address AND does not have the role with the slug administrator, then apply restriction.

Please clarify that your administrator users actually belong to the role that has administrator slug.

FYI! You can learn more about the WordPress role and what actually it is from this article https://aamplugin.com/article/what-is-a-wordpress-role.

Keep me posted.

yehudaTiram

Things were going well and I manage to use the policy, but when I tried to play and change the policy to the JSON below, it erred with the same error as in my previous post

The only way to recover the site was to delete this policy from the database.
( Why my "Insert code" style not working?)

The offending code:
The lines that caused the error are:

"Capability:edit_posts",
"Capability:edit_pages",

{
    "Effect": "deny",
    "Resource": [
        "Capability:edit_posts",
        "Capability:edit_pages"
    ],
    "Action": [
        "Read",
        "List",
        "Edit",
        "Delete"
    ],
    "Condition": {
        "NotIn": {
            "${USER.ip}": [
                "0.0.0.0",
                "1.1.1.1"
            ],
            "administrator": "(*array)${USER.roles}"
        }
    }
}

vasyl

yehudaTiram that is extremely bizzard behavior. I would never anticipate that the website would crash on the Capability resource definition. It just does not make any sense to me at this point.

My best guess is that there is something funky is happening with your website setup when it comes to the user's initialization (AAM hooks into that process to adjust the final user's capabilities).

To know for sure what is going on, I need to do some troubleshooting on your site. If you can send me FTP access to it, I can try to replicate the issue and determine the reason. You can send me creds directly to support@aamplugin.com email.

Regards,
Vasyl

yehudaTiram

Same error when I try to apply policy to editor role