Control access to custom post type associated to media

extrememicro

Hi,
I have a custom post type sdm_downloads that links to files.
I want to control what registered users can download using capabilities.
First I assign them differently to different user roles like this:

{
    "Version": "1.0.0",
    "Dependency": {
        "wordpress": ">=5.3.2",
        "advanced-access-manager": ">=6.2.2"
    },
    "Statement": [
        {
            "Effect": "allow",
            "Resource": [
                "Capability:descarga-manuales",
                "Capability:descarga-documentacion-de-montaje",
                "Capability:descarga-fichas-tecnicas"
            ]
        }
    ],
    "Param": []
}

Now I have a global policy that denies correctly or allow me to read the custom post correctly. The problem is that direct access to file (.../wp-content/uploads/2020/05/file.pdf) is denied:

{
    "Version": "1.0.0",
    "Dependency": {
        "wordpress": ">=5.3.2",
        "advanced-access-manager": ">=6.2.2"
    },
    "Statement": [
        {
            "Effect": "deny",
            "Resource": [
                "PostType:sdm_downloads:posts"
            ],
            "Action": [
                "List",
                "Read",
                "Comment"
            ]
        },
        {
            "Effect": "allow",
            "Enforce": true,
            "Resource": [
                "PostType:sdm_downloads:term:sdm_categories:%s:posts => ${USER.capabilities}",
                "PostType:sdm_downloads:term:media_category:%s:posts => ${USER.capabilities}"
            ],
            "Action": [
                "Read"
            ]
        }
    ]
}

I tried with Term resource in allow part without success too. For example, any of these worked:

"Term:sdm_categories:%s:posts => ${USER.capabilities}",
 "Term:media_category:%s:posts => ${USER.capabilities}"
                "Term:category:%s:sdm_downloads => ${USER.capabilities}"
                "Term:sdm_categories:%s:sdm_downloads => ${USER.capabilities}"
                "Term:sdm_categories:%s => ${USER.capabilities}"
                "Term:sdm_categories:%s:posts => ${USER.capabilities}"

There is a better way? Or any clues to solve this?

extrememicro

I think that get it to work with this modified policy but is there any better way than creating duplicated terms?
Why if I denied a sdm_downloads custom post type, his related attachment is denied access but allow part isn't working?

{
"Version": "1.0.0",
"Dependency": {
"wordpress": ">=5.3.2",
"advanced-access-manager": ">=6.2.2"
},
    "Statement": [
        {
            "Effect": "deny",
            "Resource": [
                "PostType:sdm_downloads:term:sdm_categories:descarga-certificados:posts",
                "PostType:sdm_downloads:term:sdm_categories:descarga-documentacion-de-montaje:posts",
                "PostType:sdm_downloads:term:sdm_categories:descarga-fichas-tecnicas:posts",
                "PostType:sdm_downloads:term:sdm_categories:descarga-software:posts",
                "PostType:sdm_downloads:term:sdm_categories:descarga-presto:posts",
                "PostType:sdm_downloads:term:sdm_categories:descarga-manuales:posts",
                "PostType:attachment:term:media_category:descarga-certificados:posts",
                "PostType:attachment:term:media_category:descarga-documentacion-de-montaje:posts",
                "PostType:attachment:term:media_category:descarga-fichas-tecnicas:posts",
                "PostType:attachment:term:media_category:descarga-software:posts",
                "PostType:attachment:term:media_category:descarga-presto:posts",
                "PostType:attachment:term:media_category:descarga-manuales:posts"
            ],
            "Action": [
                "List",
                "Read",
                "Comment"
            ]
        },
        {
            "Effect": "allow",
            "Enforce": true,
            "Resource": [
                "PostType:sdm_downloads:term:sdm_categories:%s:posts => ${USER.capabilities}",
                "PostType:attachment:term:media_category:%s:posts => ${USER.capabilities}"
            ],
            "Action": [
                "Read"
            ]
        }
    ]
}

vasyl

extrememicro the answer is quite simple and not so much. The problem here is that you are assigning capabilities to the current user with policies. When AAM loads policies it takes the current user object that contains still NOT updated list of capabilities. That is why capabilities like descarga-manuales or descarga-documentacion-de-montaje will not be included in the ${USER.capabilities} array.

That is why it did not work for you with capabilities.

You can assign those capabilities to users with AAM UI. This way they'll persist in database and will be available to current user right way. That will do the trick.