Fix/ir and pw protected posts

includes/classes/Feature/InstantResults/InstantResults.php

@@ -377,6 +377,7 @@ public function get_search_template() {
 		add_filter( 'ep_intercept_remote_request', '__return_true' );
 		add_filter( 'ep_do_intercept_request', [ $this, 'intercept_search_request' ], 10, 4 );
 		add_filter( 'ep_is_integrated_request', [ $this, 'is_integrated_request' ], 10, 2 );
+		add_filter( 'ep_exclude_password_protected_from_search', '__return_true' );
 
 		$query = new \WP_Query(
 			array(
@@ -391,6 +392,7 @@ public function get_search_template() {
 		remove_filter( 'ep_intercept_remote_request', '__return_true' );
 		remove_filter( 'ep_do_intercept_request', [ $this, 'intercept_search_request' ], 10 );
 		remove_filter( 'ep_is_integrated_request', [ $this, 'is_integrated_request' ], 10 );
+		remove_filter( 'ep_exclude_password_protected_from_search', '__return_true' );
 
 		return $this->search_template;
 	}

includes/classes/Feature/ProtectedContent/ProtectedContent.php

@@ -54,6 +54,7 @@ public function setup() {
 		add_filter( 'ep_post_formatted_args', [ $this, 'exclude_protected_posts' ], 10, 2 );
 		add_filter( 'ep_index_posts_args', [ $this, 'query_password_protected_posts' ] );
 		add_filter( 'ep_post_sync_args', [ $this, 'include_post_password' ], 10, 2 );
+		add_filter( 'ep_post_sync_args', [ $this, 'remove_fields_from_password_protected' ], 11, 2 );
 		add_filter( 'ep_search_post_return_args', [ $this, 'return_post_password' ] );
 
 		if ( is_admin() ) {
@@ -226,6 +227,56 @@ public function include_post_password( $post_args, $post_id ) {
 		return $post_args;
 	}
 
+	/**
+	 * Prevent some fields in password protected posts from being indexed.
+	 *
+	 * As some solutions publicly expose full post contents, this method prevents password
+	 * protected posts to have their full content and their meta fields indexed. Developers
+	 * wanting to bypass this behavior can use the `ep_pc_skip_post_content_cleanup` filter.
+	 *
+	 * @param array $post_args Post arguments
+	 * @param int   $post_id   Post ID
+	 * @return array
+	 */
+	public function remove_fields_from_password_protected( $post_args, $post_id ) {
+		if ( empty( $post_args['post_password'] ) ) {
+			return $post_args;
+		}
+
+		/**
+		 * Filter to skip the password protected content clean up.
+		 *
+		 * @hook ep_pc_skip_post_content_cleanup
+		 * @since 4.0.0
+		 * @param  {bool} $skip Whether the password protected content should have their content, and meta removed.
+		 * @return {bool}
+		 */
+		if ( apply_filters( 'ep_pc_skip_post_content_cleanup', false ) ) {
+			return $post_args;
+		}
+
+		$fields_to_remove = [
+			'post_content_filtered',
+			'post_content',
+			'meta',
+			'thumbnail',
+			'post_content_plain',
+			'price_html',
+		];
+
+		foreach ( $fields_to_remove as $field ) {
+			if ( ! empty( $post_args[ $field ] ) ) {
+				if ( is_array( $post_args[ $field ] ) ) {
+					$post_args[ $field ] = [];
+				} else {
+					$post_args[ $field ] = '';
+				}
+			}
+		}
+
+		return $post_args;
+	}
+
 	/**
 	 * Exclude proctected post from the frontend queries.
 	 *
@@ -241,10 +292,11 @@ public function exclude_protected_posts( $formatted_args, $args ) {
 			 * Filter to exclude protected posts from search.
 			 *
 			 * @hook ep_exclude_password_protected_from_search
+			 * @since 4.0.0
 			 * @param  {bool} $exclude Exclude post from search.
 			 * @return {bool}
 			 */
-			if ( ! is_user_logged_in() && apply_filters( 'ep_exclude_password_protected_from_search', true ) ) {
+			if ( ! is_user_logged_in() || apply_filters( 'ep_exclude_password_protected_from_search', false ) ) {
 				$formatted_args['post_filter']['bool']['must_not'][] = array(
 					'exists' => array(
 						'field' => 'post_password',

tests/php/features/TestProtectedContent.php

@@ -323,9 +323,11 @@ public function testAdminPasswordedPost() {
 		ElasticPress\Features::factory()->activate_feature( 'protected_content' );
 		ElasticPress\Features::factory()->setup_features();
 
+		// Post title is indexed but content is not.
 		Functions\create_and_sync_post(
 			array(
-				'post_content' => 'findme 123',
+				'post_title'    => 'findmetitle 123',
+				'post_content'  => 'findmecontent 123',
 				'post_password' => 'test'
 			)
 		);
@@ -339,14 +341,24 @@ public function testAdminPasswordedPost() {
 		$wp_the_query = $query;
 
 		$args = array(
-			's' => 'findme',
+			's' => 'findmetitle',
 		);
 
 		$query->query( $args );
 
 		$this->assertTrue( $query->elasticsearch_success );
 		$this->assertEquals( 1, $query->post_count );
 		$this->assertEquals( 1, $query->found_posts );
+
+		$new_query = new \WP_Query(
+			[
+				's' => 'findmecontent',
+			]
+		);
+
+		$this->assertTrue( $new_query->elasticsearch_success );
+		$this->assertEquals( 0, $new_query->post_count );
+		$this->assertEquals( 0, $new_query->found_posts );
 	}
 
 	/**
@@ -367,15 +379,15 @@ public function testFrontEndSearchPasswordedPost() {
 
 		Functions\create_and_sync_post(
 			array(
-				'post_content'  => 'findme 123',
+				'post_title'    => 'findmetitle 123',
 				'post_password' => 'test',
 			)
 		);
 		ElasticPress\Elasticsearch::factory()->refresh_indices();
 
 		$query = new \WP_Query(
 			array(
-				's' => 'findme',
+				's' => 'findmetitle',
 			)
 		);