The restriction should also apply in the editor.

  • Let me explain the issue:

    For example, an admin sets a visibility on a block that an Editor cannot see the block. The editor signs in, and on the front end, the block is indeed hidden for him. However the Editor can edit the post/page, and disable the visibility rule for that block.

    In order to make it bulletproof, maybe only Admins and/or Editors can set the visibility rules, and if a block has a visibility rule for a specific role/user, those who the rule applies to them should not be able to see the block in the editor as well – in this case Authors and Contributors.

    As my review of this plugin says, this is a NEAR perfect plugin… so close to perfection, but it is just not there yet, there are some holes in the system…

    Thanks,
    Nick.

Viewing 1 replies (of 1 total)
  • Plugin Author Rich Tape

    (@iamfriendly)

    Hey Nick,

    Thanks for your detailed message. Makes it way easier to understand the solution you’re looking for.

    Generally-speaking, WordPress Editors and Administrators are considered trusted users, especially when it comes to the content on the website. The idea being that someone given the editor role (or ‘above’) is trusted enough to be able to see, and edit, all of the content on a site.

    Content Visibility is designed to do things in “The WordPress Way” as much as possible; hence there’s no settings (‘decisions not options’), the UI uses all of the native WordPress controls so it feels native to the WordPress Block editor etc. and as such the concept of folks with the editor role being able to see and edit all content on the site filters through here, too.

    With that being said, I’ve thought deeply on how this may actually work, should it be something that someone wanted (perhaps in an add-on). As the core Content Visibility plugin is designed right now, it’s not possible – content visibility rules are simply not loaded in the dashboard whatsoever. That is something that could be made filterable, so that add-ons could provide this functionality. I’ll get that added in an upcoming update.

    Beyond that, the biggest problem I can see is that when the content of a post or page is loaded in the editor it is taken from the database and output onto the screen. If, for example, one of the blocks in the post should be hidden from the currently signed in user, and that user were to update the post whilst that block was hidden, then the block that is hidden would no longer be sent back to the database (as it wouldn’t actually be there!), and as such it wouldn’t be part of the post any more.

    It’d be doable with CSS to “hide” the block, but that’s a) easily circumvented by someone who wanted to see it, and b) doesn’t fit in with the way people would expect the plugin to work. It’d not truly be unviewable by that person, which would lead to a loss in trust. Plus, I’m not entirely sure hiding it in CSS would remove it from post revisions, so it’d be super simple to circumvent.

    One thing you may want to consider is adding the “admin-only” content as a widget which is a) only shown on that post/page and b) only visible to admins. You could then lock down access to the widgets screen to admins only (using something like the excellent Members plugin https://en-ca.www.ads-software.com/plugins/members/ )

    Thanks again for the detailed comment, and for taking me down a few rabbit holes ??

    Rich

Viewing 1 replies (of 1 total)
  • The topic ‘The restriction should also apply in the editor.’ is closed to new replies.