-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Admin Toolbar cached when Logged-In Users caching enabled #497
Comments
Of those two choices, I would vote for this one. Or, I would also vote to get rid of that option altogether; only because this particular feature has the potential to create a security issue if not configured properly. The Admin Bar showing is one mild example of this, but suppose the site owner was running some plugin that displayed blog stats or DB details in some way. If something like that got cached, and the site owner doesn't realize the impact of the ZenCache configuration, it creates a security issue. This was my doing; i.e., I put that option in there to improve flexibility, but the case you mentioned here is a good reason for us not to have that in my view. I imagine it is used rarely anyway. |
I agree with that. Maybe we can get rid of that option, but make enabling such an option possible through the use of an MU-Plugin, so that if an advanced site owner wants that functionality and knows what they're doing, they can still enable it. |
Just thinking about what removing the "Logged-In User Caching" feature might entail and what kinds of scenarios we'd need to consider:
|
Next ActionsCovering the Use Cases Listed Above1. Existing users who have this option enabled
2. Existing users who don't have this option enabled.Already covered by the above suggested changes in point 1. 3. New users.Already covered by the above suggested changes in point 1. Disable Admin Bar if
|
Next Actions for this IssueCreate a new feature branch Covering the Use Cases Listed Above1. Existing users who have this option enabled
2. Existing users who don't have this option enabled.Already covered by the above suggested changes in point 1. 3. New users.Already covered by the above suggested changes in point 1. Disable Admin Bar if
|
@jaswsinc Sounds great to me! :-) |
@renzms Here's a visual of what you're tweaking (i.e., hiding) as part of your work on this issue. |
Cool.
In the instructions above, there is a section titled, "Disable Admin Bar if What we need is a note in the config. panel whenever e.g., |
Note that while you are hiding the |
Hi @jaswsinc, Can the note be the following? Note for users who have set "Yes, but DON'T maintain a separate cache": If you had this feature previously enabled, please be aware that the Admin Bar will no longer be shown on the front-end of your website. The option for "Yes, but DON'T maintain a separate cache", is no longer accessible unless using an MU plugin. |
Something like this... <?php if($this->plugin->options['when_logged_in'] === '1' && $this->plugin->applyWpFilters(GLOBAL_NS.'_when_logged_in_no_admin_bar', true)): ?>
echo '<p class="warning">'.sprintf(__('<strong>Warning:</strong> Whenever you enable caching for logged-in users (without a separate cache for each user), the WordPress Admin Bar <em>must</em> be disabled to prevent one user from seeing another user\'s details in the Admin Bar. <strong>Given your current configuration, %1$s will automatically hide the WordPress Admin Bar on the front-end of your site.</strong>', SLUG_TD), esc_html(NAME)).'</p>';
<?php endif; ?> Warning: Whenever you enable caching for logged-in users (without a separate cache for each user), the WordPress Admin Bar must be disabled to prevent one user from seeing another user's details in the Admin Bar. Given your current configuration, ZenCache will automatically hide the WordPress Admin Bar on the front-end of your site. |
@jaswsinc , Ok thanks, I'll add that in, also which file will I add this to? Plugin.php? How will I test this though as I never set it as |
This should appear just underneath the dropdown menu that you worked on here.
In your working copy of ZenCache, create an MU plugin to enable this feature by force. Create: <?php
add_filter('zencache_options', function(array $options){
$options['when_logged_in'] = '1';
return $options;
}); |
@jaswsinc Thanks! I will try that to test out the changes via MU plugin. |
Thank you. Yes, lookin' great in your screenshot! I need to see a PR though. Don't worry about having everything just right before you open a PR. If you feel ready for a review, even if you're not sure that everything is just right, go ahead and open a PR so that I can review the diff and the changes that you made. |
@jaswsinc
Noted! Will submit a PR now. Thanks! |
@jaswsinc Reviewing Renz's PR it appears that the intention here is to only remove the option to enable Logged-In User Caching without maintaining a separate cache, is that correct? Earlier in this GitHub issue (namely here: #497 (comment)) I was under the impression that we were removing the entire Logged-In User Caching feature altogether. However, if that's not the case that's good, because my feeling is that this is a really popular feature (being able to cache logged-in users) and I'd rather not see it go. :-) |
That is correct :-) This particular setting has the potential to create a security problem, so removing it from the available options seems like a good idea to me. It can still be enabled with a filter though. |
@jaswsinc writes (in #497 (comment))...
This was where I misunderstood you. Re-reading that now, I realize you were just referring to the Yes, but DON'T maintain a separate cache for each user option, not the entire Logged-In User Caching feature. :-) My mistake. |
@jaswsinc writes...
Has that been implemented yet? I didn't see that in the PR. |
No, it wasn't introduced as a part of this PR. However, you can accomplish this with a filter that we have for the options array. <?php
add_filter('zencache_options', function(array $options){
$options['when_logged_in'] = '1';
return $options;
}); |
Ah, right. I forgot about that. Very cool. :-) |
Next Pro Release Changelog:
|
ZenCache v151114 has been released and includes changes from this GitHub Issue. See the v151114 announcement for further details. This issue will now be locked to further updates. If you have something to add related to this GitHub Issue, please open a new GitHub Issue and reference this one (#497). |
Steps to reproduce this bug
Expected Behavior
The cached page should be loaded, but without any Admin Toolbar at the top. Since the visitor visiting the page is not logged in, seeing an Admin Toolbar is unexpected.
Observed Behavior
The cached page includes the Admin Toolbar and so the logged-out visitor sees a version of that page that includes that toolbar (attempting to use anything on the toolbar obviously redirects to the login page, but that toolbar really shouldn't be there in the first place).
Potential Fixes
<div>
inside the cached HTML that containsid="wpadminbar"
before generating the cache file, so that the resulting cache file does not contain that div at all.Support threads referencing this issue
The text was updated successfully, but these errors were encountered: