Can you fix this issue?

Hello!

Which version of WP and bbPress are you using? I’ve just created a test private page and test private post, and I’m not seeing either of them in the “link to existing content” suggestions when adding a link to a forum post. (That’s true whether I’m logged in as the creator of the private content, or as somebody else.) I’m using the standard TinyMCE not the Extended editor.

WP version: 4.5.2
bbPress: 2.5.9
And I don’t think I’m using anything other than the standard TinyMCE. (although I don’t know how to check this)

Now, if you created just 2 pages, then this feature might not kick in with just 2 pages as it wouldn’t make sense with such a small number of pages.
I’d suggest you clone at least 10 pages for testing.

Oh, and you mentioned that you set your pages as *private* content.
My pages are NOT set to private.
Setting them as private wouldn’t make any sense for me as any website visitor must be able to see those pages BUT ONLY when I show those pages to them.
Plus, there’s no need to set those pages to private because when there’s no navigation links linking to them and when the search engines are discouraged from indexing those pages, that’s perfectly sufficient to hide those pages from direct access by random users.

This is true for pages such as thank-you pages that contain downloadable files (that users are only supposed to see after purchase) as well as random test pages that you wouldn’t want to show to random forum users etc.

P.S. this “Or link to existing content” in “insert link” dialogue comes up in both the visual and the text editor.

Sorry to hijack the post, I am also seeing this when clicking the add link.

https://dl.dropboxusercontent.com/u/78000180/editor.png

If you click the link options you will see it there, it is a new feature from WordPress latest version.

Hi guys,

Ok, I understand the context now.

abooster, if the pages that are showing up in the TinyMCE posts listing are published and public, then I’d say this is “expected” behaviour (in the sense that you’re relying on “security through obscurity” to hide your pages, rather than actually restricting them.) I can see why this TinyMCE feature is annoying you however.
(Note – there may be ways to filter the posts visible in the link selector – see https://wordpress.stackexchange.com/questions/115592/excluding-post-type-from-wordpress-link-builder/116027.)

When I get a chance, what I’ll try and do is add some functionality to the plugin to support custom javascript snippets for TinyMCE. This functionality could be used to make the JS-based CSS tweaks you’re suggesting, or other CSS tweaks to TinyMCE, so it would be a more widely useful extension. I’m flat out just now but will get onto this when I can.

Cheers!

Hi Fidgety.

Again sorry to the OP and thank you for your response.

@fidgety Lizard
While this might not be an explicit “security” issue, for me and many others this privacy issue is so important that it has the same level as a security issue would.

And indeed, as you notice on this very site here:
The insert link dialog here doesn’t show any of that malicious behavior.

Now, while I’m grateful you linked to that page explaining that it’s wp_link_query that’s responsible for this malicious behavior, the info on that page doesn’t really help because changes in WP core files would be overwritten by the next WP update, correct?

Or is there a way to stop wp_link_query working for all non-admin users?

Instead of JS/CSS-based solutions I (and certainly most other people) would prefer to completely block wp_link_query for non-admin users.

This could potentially also be a separate mini-plugin that would instantly get 5 stars from me.
i.e. a plugin that completely blocks wp_link_query for all regular non-admin users of WordPress, BuddyPress and bbPress.

Otherwise this remains a giant privacy hole.

P.S. After taking a closer look at that page you linked above, it appears that years ago WordPress developers introduced wp_link_query_args to deal with this problem.
And yet, despite adding that function the giant privacy hole still exists today!

[Remarks redacted]

They created something that can be used to easily plug the giant privacy hole but they are not plugging that hole for everyone! WHY???
They plugged the hole for regular users posting on www.remarpro.com but they left the giant hole open for everyone who uses their software.
[Remarks redacted]

I hope you can create a solution to fix that problem.

[Remarks redacted]

@abooster, Please remain civil.

Hi again abooster,

I think it would indeed make more sense to release a separate plugin that, as you suggest, would allow link suggestions to be disabled for non-admin users. (Or better, defines a new capability for managing who gets to see link suggestions – defaulting to admin only.)

Obviously to be secure, this would need to prevent the list of links being returned to the browser, instead of/as well as hiding the “or link to existing content” section with CSS. There’s also some checking to be done to make sure the same approach will work with both the WordPress back end and bbPress.

I’m not averse to looking into this new plugin, I’m just a bit flat out at the moment. In the meantime if you wanted to dig into the TinyMCE documentation (https://archive.tinymce.com/wiki.php) and see if there’s any configuration to switch suggested links off in TinyMCE itself, that would be really helpful.

Cheers!

Re: “Or better, defines a new capability for managing who gets to see link suggestions – defaulting to admin only.”

Oh, that would be awesome!

Re: “There’s also some checking to be done to make sure the same approach will work with both the WordPress back end and bbPress.”

I’m willing to do the testing to make sure it works in BuddyPress and bbPress as well. Although I’m pretty sure that BuddyPress and bbPress are just using the core functionality. So, if it’s fixed in the WP core, it should be automatically fixed for BuddyPress and bbPress as well.