Easy to see pages protected by S2Member

I don’t want to publish on a public forum how S2Member lets a user easily see a page that is supposedly protected. To my knowledge it only happens with a particular theme (but a popular theme nonetheless.)

If anyone from s2member support would like to contact me I am more than happy to reveal, by PM, how this can happen, hoping it can them be addressed.

Hello Ken,

Could you please describe the problem you’re having?

We do not offer support through any medium besides these forums: s2Member® » Support Policy

– Eduan

Fair enough then.
If you use the Swagger premium WordPress theme you have the option to create a page template with tabbed content areas, the content for each tab can be drawn from a different page.

Having created the template you then create a page (let’s call it the master page) and assign the template to it. So one page can display content from several, via the tabs.

Even if these pages supplying content for the tabs are protected, the content freely displays to non-registered visitors who visit the master page.

You would certainly not expect this to be the case.

I think I understand now. So basically one page is showing the content of several pages correct?

If that’s the case, then the reason may be actually quite simple. The theme is calling for those pages and getting their content in a way s2Member does not monitor. So s2Member isn’t even aware that those pages were called, and so it can’t protect them.

That’s just what I think though, I’m not sure if that’s the case or not.

So does protecting pages normally and accessing them normally (i.e. through their URL) work correctly?

– Eduan

Yes, the pages cannot be accessed normally via the URL as S2Member protects them in that situation.
Swagger is a popular theme though, and I think some consideration should be given by both S2Member developers and the Swagger author as to how to solve this issue or at least make users aware of the possibility of a security breach.

it may not be the only theme that displays page content in this manner.

I see. I’ll notify Jason of this so that he can check if he wants to solve it or not. :)

Or so that he can notify us of the real problem.

– Eduan

This is a direct quote:

In WordPress, there are Post Types.

• Page is a Post Type: page
• Post is a Post Type: post
• Attachment is a Post Type: attachment
• etc, etc.. Everything is a Post Type

If a custom theme adds a new Post Type that holds fragments of data which are later included in another Post Type (like a Page for instance, this creates a problem; as the site owner describes in this thread).

---

So let’s say for instance, we have this scenario.

I create a custom theme that saves fragments of data called Snippets (like we have @ s2Member.com).
Snippets are a Post Type. Post Type: snippet. See: http://wordpress.org/extend/plugins/wp-snippets/

Now I create a Page. Post Type: page.

In that page I include a Shortcode that pulls in a Snippet (like a PHP include).
(this goes into my Page).

So now I have a Page (Post Type: page) that contains a Snippet (Post Type: snippet).
However, if this content if for members only, I should protect BOTH the Page and the Snippet.

---

With s2Member you can protect different Post Types; either by ID, or by specifying all-[post type]s (plural). For instance, all-snippets or all-pages. This is accomplished from the Restriction Options panel under Post Level Access Restrictions. So it is very easy to protect the original permalinks for both Post Types.

---

In this thread, the user says:

Even if these pages supplying content for the tabs are protected, the content freely displays to non-registered visitors who visit the master page.

You would certainly not expect this to be the case.

Yes, that IS to be expected. The fact that you’re creating a new Page that brings forward this content, means that YOU (as the site owner) are obligated to protect that new master Page as well. s2Member does not care that you’ve protected the other Pages (e.g. Tabs in this case). If you create a new Page that pulls in content from those other Pages (like PHP includes); you will need to protect the Page that is doing this.

Does that help?

Thank you very much for this explanation. For my application it is not a problem to simply protect the page that is displaying the tabs, as well as the pages that contain the content for the tabbed areas, and this is what I shall do.

It means that it is not possible to mix content on the one page, so that, for example, a Level 1 member can see one of the tabs but not all, whereas a Level 2 member can see more tabs. The page is either displayed or not displayed. But for me this is not a problem.

If I wanted to do this, I could use conditionals, but this is not user -friendly, and I want the owner of the site to be able to modify content without resorting to these methods, because that is too hard for them to do.

However I would love it if s2member were able to offer an alternative to simply throwing the user back to a registration page if they try to access restricted content. For instance a way of showing a polite message – “That content is restricted” and staying on the same page. Maybe this is possible and I haven’t yet found the way?

For instance a way of showing a polite message – “That content is restricted” and staying on the same page. Maybe this is possible and I haven’t yet found the way?

That is not possible currently with s2member I’m afraid. You’ll have to modify s2member so that it works this way instead of redirecting to the MOP (membership options page).

– Eduan