Access to posts based on dynamic user meta

vasyl

I've recently got this interesting use-case from one of the AAM users. He posted the following question:

Hello, I am considering purchasing the plugin and trying to implement access control so that users are only permitted to view/read posts that have the same "taxonomy" tag attached to both the user as well as a given post, dynamically.

This is the policy I am considering, where "park" is a taxonomy. I can get the values on the User through USER_META but not sure if there is something equivalent for post meta data?. I would likely purchase the plugin to assign this to all posts of a number of given types:

{
    "Version": "1.0.0",
    "Dependency": {
        "wordpress": ">=5.4",
        "advanced-access-manager": ">=6.4.3"
    },
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "Read",
                "List"
            ],
            "Resource": "Post:post:1",
            "Condition": {
                "NotIn": {
                    "(*array)${POST.park.term_id}": "(*array)${USER_META.park.term_id}"
                }
            }
        }
    ]
}

vasyl

vasyl alright, let's break down all the moving parts in this case study. So...

We have some a post type with an indefinite number of posts, where posts are tagged with some custom taxonomy (in our case it is park);
We also have custom user meta park that contains an of term ids or term slugs. It can be a serialized array of values or comma-separated list;
This way, if the user can see and read ONLY posts that are tagged with terms listed in user meta park;

The solution is quite straight forward, however, it requires Plus Package add-on.

{
    "Version": "1.0.0",
    "Dependency": {
        "wordpress": ">=5.1.1",
        "advanced-access-manager": ">=6.4.1",
        "${CONST.AAM_PLUS_PACKAGE}": {
            "Name": "Plus Package",
            "Version": ">=5.3.1",
            "URL": "https://aamplugin.com/pricing/plus-package"
        }
    },
    "Statement": [
        {
            "Effect": "deny",
            "Resource": "PostType:post:posts",
            "Action": [
                "Read",
                "List"
            ]
        },
        {
            "Effect": "allow",
            "Resource": [
                "Term:park:%s:posts => ${USER_META.park}"
            ],
            "Action": [
                "Read",
                "List"
            ]
        }
    ]
}

In the first statement, we define the default access to all posts that belong to post type post with PostType:post:posts resource.

In the second statement, we define mapped resource Term:park:%s:posts => ${USER_META.park} that basically dynamically allow all the posts that are tagged with custom taxonomy park where the list of tag IDs/Slugs are defined in the user meta park.

michaelsimon

Hi Vasyl,
After purchasing the AAM Plus Package today, I tried to get this working. I'm finding that if I have a section on a "Page" where I have a listing of "Posts", it is properly limiting which Posts to display. However, when I click on the Post to Read More, it is getting a denial. Any thoughts?

Also, in your code above, I see you have a dependency for "aam-gutenberg-category-fix". What Is that/do I need it and if so, from where can I download it?

Thank you,
Michael Simon

vasyl

michaelsimon hello there,

Sorry about misleading aam-gutenberg-category-fix. This is the internal plugin that I've been using for some other project.

The reason you see "Access Denied" when reading a post is that probably it probably has more than one category assigned to it. In this case, you might try to go to AAM Settings Area and on the ConfigPress tab insert following code:

[aam]

; Manage access preference to posts, pages, media and any custom post type
core.settings.post.merge.preference = "allow"
; Manage access preference to hierarchical terms (categories)
core.settings.term.merge.preference = "allow"
; Manage access preference to any post type like Posts, Pages, Products etc
core.settings.type.merge.preference = "allow"
; Manage access preference to any taxonomy object
core.settings.taxonomy.merge.preference = "allow"

michaelsimon

Hello vasyl,

Thank you for the above. Yes, there can be a many to many relationship between- many users can have multiple parks, many posts can have multiple parks. When I added the above code, the listing of posts worked properly based on the connectivity of the "Parks" term. However, if a user had a direct link to a post that was "tagged" with a Park that their User was not tagged with, they would still be able to view the post.

Thoughts? Thanks, Michael

vasyl

michaelsimon by changing the access settings merging preference to allow, AAM basically fetches ALL the terms that are attached to any given post and merge settings in the way that if there is at least one term that either allows access or has not access settings defined, then the final access will be allowed.

In the latest AAM updates, I've added the ability to exclude any unwanted taxonomies from the equation. You can check this GitHub issue for more info.

So in your case, if posts also have some tags attached or terms of custom taxonomies, you can simply exclude them with ConfigPress:

[aam]
core.service.content.exclude.taxonomies = 'post_tag'

This should do the trick.