restricted-site-access icon indicating copy to clipboard operation
restricted-site-access copied to clipboard
verified publisher icon 10up

Add Public Post Preview compatibility shim to RSA

Open benlk opened this issue 9 months ago • 7 comments

Description of the Change

This substantially integrates the shim wp-plugin-ppp-rsa-compat.php into Restricted Site Access.

The shim reimplements significant portions of Public Post Preview's functionality, because the methods in PPP used to verify whether the preview link is valid are set to private access.

I'm filing this PR against RSA, but if this feature is better implemented in PPP, I have a corresponding PR against PPP here: https://github.com/ocean90/public-post-preview/pull/184

Resolves https://github.com/10up/restricted-site-access/issues/344

How to test the Change

  1. Enable PPP and RSA on the same site.
  2. Create a draft post.
  3. Verify that the draft post is visible to logged-in users, and blocked for logged-out users.
  4. Enable PPP for the post.
  5. Verify that the draft post is visible to both logged-in users and logged-out users.
  6. Disable PPP for the post.
  7. Verify that the draft post is visible to logged-in users, and blocked for logged-out users.

Changelog Entry

Added - Compatibility with Public Post Preview to allow logged-out users to view preview links.

Credits

Props @benlk

Checklist:

benlk avatar Mar 07 '25 17:03 benlk

This PR is a draft because, while the shim has been tested on live sites, I have not tested this specific PR's code in any environment. There's a PHPCS fail, and tests and docs are needed before this is ready for merge.

However, this PR should be sufficient to determine whether this PR or https://github.com/ocean90/public-post-preview/pull/184 is preferred.

benlk avatar Mar 07 '25 17:03 benlk

Bumping this to @10up/open-source-practice for input on preferred approach

jeffpaul avatar Apr 23 '25 15:04 jeffpaul

Bumping this to @10up/open-source-practice for input on preferred approach

Looking at the code here, seems we're copying a lot of functionality from Public Post Preview so I think the ideal outcome here is getting a fix within that plugin instead of here.

That said, we obviously have more control of RSA so if we think we have a better chance of getting this fix here, we can proceed with this.

dkotter avatar Apr 25 '25 15:04 dkotter

@jeffpaul @dkotter I added some notes on the issue to discuss what user expectations are when installing both RSA and PPP. tl;dr: do they wish to allow full access to preview posts via ppp or do they wish to only allow the restricted users to preview posts via ppp?

https://github.com/10up/restricted-site-access/issues/344#issuecomment-2765050795

peterwilsoncc avatar Apr 27 '25 22:04 peterwilsoncc

do they wish to allow full access to preview posts via ppp or do they wish to only allow the restricted users to preview posts via ppp?

My initial reaction here is restricted to only those who have access via RSA, to default towards the more secure/restricted approach.

jeffpaul avatar Aug 11 '25 18:08 jeffpaul

My initial reaction here is restricted to only those who have access via RSA, to default towards the more secure/restricted approach.

This is my strong inclination too.

@benlk Do you have bandwidth to repurpose this PR to provide documentation as to how to add a filter to allow ppp links through and add any hooks to the existing code base that are required to achieve this?

peterwilsoncc avatar Aug 12 '25 23:08 peterwilsoncc

@peterwilsoncc I don't have bandwidth to add more than a short comment pointing at this PR, or at a gist version of the shim, describing them as reference implementations.

add any hooks to the existing code base that are required to achieve this

The restricted_site_access_is_restricted hook is sufficient. The main issue is that, unless https://github.com/ocean90/public-post-preview/pull/184 is merged, any developer seeking to recreate the functionality that this PR provides will have to independently re-implement the code that PPP uses to determine if a given request is a valid PPP link.

@jeffpaul regarding

My initial reaction here is restricted to only those who have access via RSA, to default towards the more secure/restricted approach.

That approach is already satisfied by the combination of RSA and PPP, without this shim. Without this shim, PPP parses requests after RSA checks whether the user can view the whole site. People who can't pass RSA don't see the PPP link.

This shim moves parsing of requests for PPP-validity to before RSA checks the request, and bypasses RSA for PPP-validated requests.

benlk avatar Nov 06 '25 15:11 benlk