From 55729d5dc2260a45c59997a3fd74806e59db822e Mon Sep 17 00:00:00 2001 From: Felipe Elia Date: Tue, 8 Mar 2022 14:47:02 -0300 Subject: [PATCH 1/4] Change ep_exclude_password_protected_from_search behavior --- includes/classes/Feature/ProtectedContent/ProtectedContent.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/includes/classes/Feature/ProtectedContent/ProtectedContent.php b/includes/classes/Feature/ProtectedContent/ProtectedContent.php index 283366b9a7..0fcc114389 100644 --- a/includes/classes/Feature/ProtectedContent/ProtectedContent.php +++ b/includes/classes/Feature/ProtectedContent/ProtectedContent.php @@ -241,10 +241,11 @@ public function exclude_protected_posts( $formatted_args, $args ) { * Filter to exclude protected posts from search. * * @hook ep_exclude_password_protected_from_search + * @since 4.0.0 * @param {bool} $exclude Exclude post from search. * @return {bool} */ - if ( ! is_user_logged_in() && apply_filters( 'ep_exclude_password_protected_from_search', true ) ) { + if ( ! is_user_logged_in() || apply_filters( 'ep_exclude_password_protected_from_search', false ) ) { $formatted_args['post_filter']['bool']['must_not'][] = array( 'exists' => array( 'field' => 'post_password', From dba59f5dbbd3a01db90bcc2a7e6867ee31560262 Mon Sep 17 00:00:00 2001 From: Felipe Elia Date: Tue, 8 Mar 2022 14:47:19 -0300 Subject: [PATCH 2/4] Exclude pw protected posts from IR --- includes/classes/Feature/InstantResults/InstantResults.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/includes/classes/Feature/InstantResults/InstantResults.php b/includes/classes/Feature/InstantResults/InstantResults.php index 2659aac73e..63ffb8d54a 100644 --- a/includes/classes/Feature/InstantResults/InstantResults.php +++ b/includes/classes/Feature/InstantResults/InstantResults.php @@ -377,6 +377,7 @@ public function get_search_template() { add_filter( 'ep_intercept_remote_request', '__return_true' ); add_filter( 'ep_do_intercept_request', [ $this, 'intercept_search_request' ], 10, 4 ); add_filter( 'ep_is_integrated_request', [ $this, 'is_integrated_request' ], 10, 2 ); + add_filter( 'ep_exclude_password_protected_from_search', '__return_true' ); $query = new \WP_Query( array( @@ -391,6 +392,7 @@ public function get_search_template() { remove_filter( 'ep_intercept_remote_request', '__return_true' ); remove_filter( 'ep_do_intercept_request', [ $this, 'intercept_search_request' ], 10 ); remove_filter( 'ep_is_integrated_request', [ $this, 'is_integrated_request' ], 10 ); + remove_filter( 'ep_exclude_password_protected_from_search', '__return_true' ); return $this->search_template; } From 5949170779242a3f0650623a6fc87a85db43d6d6 Mon Sep 17 00:00:00 2001 From: Felipe Elia Date: Tue, 8 Mar 2022 15:58:48 -0300 Subject: [PATCH 3/4] PW Protected Content: Prevent full content to be indexed --- .../ProtectedContent/ProtectedContent.php | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/includes/classes/Feature/ProtectedContent/ProtectedContent.php b/includes/classes/Feature/ProtectedContent/ProtectedContent.php index 0fcc114389..72d044a41d 100644 --- a/includes/classes/Feature/ProtectedContent/ProtectedContent.php +++ b/includes/classes/Feature/ProtectedContent/ProtectedContent.php @@ -54,6 +54,7 @@ public function setup() { add_filter( 'ep_post_formatted_args', [ $this, 'exclude_protected_posts' ], 10, 2 ); add_filter( 'ep_index_posts_args', [ $this, 'query_password_protected_posts' ] ); add_filter( 'ep_post_sync_args', [ $this, 'include_post_password' ], 10, 2 ); + add_filter( 'ep_post_sync_args', [ $this, 'remove_fields_from_password_protected' ], 11, 2 ); add_filter( 'ep_search_post_return_args', [ $this, 'return_post_password' ] ); if ( is_admin() ) { @@ -226,6 +227,56 @@ public function include_post_password( $post_args, $post_id ) { return $post_args; } + /** + * Prevent some fields in password protected posts from being indexed. + * + * As some solutions publicly expose full post contents, this method prevents password + * protected posts to have their full content and their meta fields indexed. Developers + * wanting to bypass this behavior can use the `ep_pc_skip_post_content_cleanup` filter. + * + * @param array $post_args Post arguments + * @param int $post_id Post ID + * @return array + */ + public function remove_fields_from_password_protected( $post_args, $post_id ) { + if ( empty( $post_args['post_password'] ) ) { + return $post_args; + } + + /** + * Filter to skip the password protected content clean up. + * + * @hook ep_pc_skip_post_content_cleanup + * @since 4.0.0 + * @param {bool} $skip Whether the password protected content should have their content, and meta removed. + * @return {bool} + */ + if ( apply_filters( 'ep_pc_skip_post_content_cleanup', false ) ) { + return $post_args; + } + + $fields_to_remove = [ + 'post_content_filtered', + 'post_content', + 'meta', + 'thumbnail', + 'post_content_plain', + 'price_html', + ]; + + foreach ( $fields_to_remove as $field ) { + if ( ! empty( $post_args[ $field ] ) ) { + if ( is_array( $post_args[ $field ] ) ) { + $post_args[ $field ] = []; + } else { + $post_args[ $field ] = ''; + } + } + } + + return $post_args; + } + /** * Exclude proctected post from the frontend queries. * From 0a64690a8546ac05f4091fed3b300b2332680473 Mon Sep 17 00:00:00 2001 From: Felipe Elia Date: Tue, 8 Mar 2022 16:10:46 -0300 Subject: [PATCH 4/4] Adjust protected content tests --- tests/php/features/TestProtectedContent.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/tests/php/features/TestProtectedContent.php b/tests/php/features/TestProtectedContent.php index bbc6eb1054..de390aa103 100644 --- a/tests/php/features/TestProtectedContent.php +++ b/tests/php/features/TestProtectedContent.php @@ -323,9 +323,11 @@ public function testAdminPasswordedPost() { ElasticPress\Features::factory()->activate_feature( 'protected_content' ); ElasticPress\Features::factory()->setup_features(); + // Post title is indexed but content is not. Functions\create_and_sync_post( array( - 'post_content' => 'findme 123', + 'post_title' => 'findmetitle 123', + 'post_content' => 'findmecontent 123', 'post_password' => 'test' ) ); @@ -339,7 +341,7 @@ public function testAdminPasswordedPost() { $wp_the_query = $query; $args = array( - 's' => 'findme', + 's' => 'findmetitle', ); $query->query( $args ); @@ -347,6 +349,16 @@ public function testAdminPasswordedPost() { $this->assertTrue( $query->elasticsearch_success ); $this->assertEquals( 1, $query->post_count ); $this->assertEquals( 1, $query->found_posts ); + + $new_query = new \WP_Query( + [ + 's' => 'findmecontent', + ] + ); + + $this->assertTrue( $new_query->elasticsearch_success ); + $this->assertEquals( 0, $new_query->post_count ); + $this->assertEquals( 0, $new_query->found_posts ); } /** @@ -367,7 +379,7 @@ public function testFrontEndSearchPasswordedPost() { Functions\create_and_sync_post( array( - 'post_content' => 'findme 123', + 'post_title' => 'findmetitle 123', 'post_password' => 'test', ) ); @@ -375,7 +387,7 @@ public function testFrontEndSearchPasswordedPost() { $query = new \WP_Query( array( - 's' => 'findme', + 's' => 'findmetitle', ) );