Search displays hidden forums to participants

[wpsolr]

Hi,

1) I created a hidden forum with topics and replies as a keymaster
2) I logged in as a Participant
3) A search will not display topics and replies as expected, but the forum itself is displayed!
4) Clicking on the forum shows a 404 page, as expected

WordPress 6.0
Plugins active: bbPress, Classic Editor

[wpsolr]

Capture of search showing a hidden forum to a particpant

[wpsolr]

Hidden forum not shown in list, as expected

[wpsolr]

Hidden forum settings

[wpsolr]

All topics of hidden forum not shown on search, as expected

[wpsolr]

Participant role

[wpsolr]

Hidden forum created by keymaster (not by the participant)

[Robin W]

I could not replicate this in my test site.

User has not responded further in support topic

​https://bbpress.org/forums/topic/search-displays-hidden-forums-to-participants/

[Robin W]

correction, I've now replicated

the issue is in \bbpress\includes\search\template.php line 49 onwards

mods and above get permissions to see all from line 50 which sets a list of $defaultpost_status?

participants/spectators get $defaultperm? = 'readable' set instead of $defaultpost_status?.
'perm' is a wordpress wp_query setting, and wordpress does not have 'hidden' status, so allows hidden forums to show, nit sure why, but it does !

if the 'else' line is revised to set permissions, then all works as it should

this filter fixes

add_filter ('bbp_after_has_search_results_parse_args', 'bsp_search_hide_hidden_forums') ;


<?php
function bsp_search_hide_hidden_forums ($args) {
                if (!empty($args['perm'])) {
                unset ($args['perm']) ;
                $post_statuses = array(bbp_get_public_status_id()) ;
                // Add support for private status
                if ( current_user_can( 'read_private_topics' ) || current_user_can( 'read_private_forums' ) ) {
                        $post_statuses[] = bbp_get_private_status_id();
                }
                // Add support for hidden status
                if ( current_user_can( 'read_hidden_forums' )) {
                        $post_statuses[] = bbp_get_hidden_status_id();
                }
                // Join post statuses together
                $args['post_status'] = $post_statuses;
        }
return $args ;
}

[johnjamesjacoby]

This is a fun one, because it is a combination of bugs!

1. "Hidden" forum IDs are being excluded via a meta_query through bbp_pre_get_posts_normalize_forum_visibility(), but that doesn't work on the forums themselves because they don't store their own forum ID in their own meta data.
2. "Private" forum IDs are only being made visible to: Key Masters, or the authors of the private forums.

I have a fix for both incoming.

[johnjamesjacoby]

In 7262:

Search: prevent hidden forums from appearing in results.

This change includes the following changes:

• Removes readable perm check from bbp_has_search_results() and replaces it with public topic statuses by default, while conditionally adding private & hidden statuses if user is capable
• Tweaks the logic inside of bbp_pre_get_posts_normalize_forum_visibility() to always handle both of its internal conditions (forum query, or any query that includes forums/topics/replies connected via meta data)
• Tweaks output of content-search.php template part to not show the "Oh bother" error when visiting a search page for the first time
• Adds a string feedback-no-search.php template part to address both "no results" and "no terms" conditions

These changes address some faulty search logic that was allowing hidden forums to appear in global search results to users who should not have been able to see them, while also improving the search page experience itself.

Fixes #3473.

Props wpsolr, robin-w.

In branches/2.6, for 2.6.10.