BuddyDev

Search

[Resolved] Secure or hide buddypress admin users using 404 error

  • Participant
    Level: Guru
    Posts: 900
    Tosin on August 9, 2024 at 2:25 pm #53007

    Hello Brajesh

    Please can you review theis code below if its safe and efficient to use might be helpful to others to secure admin accounts

     function bp_redirect_admin_profile_to_404() {
    // Get the ID of the user whose profile is being viewed
    $displayed_user_id = bp_displayed_user_id();

    // Check if the displayed user is an administrator
    if ( user_can( $displayed_user_id, 'administrator' ) ) {
        // Get the ID of the currently logged-in user
        $current_user_id = get_current_user_id();

        // Check if the currently logged-in user is an administrator
        if ( $current_user_id && user_can( $current_user_id, 'administrator' ) ) {
            // Allow logged-in admins to view the profile
            return;
        }

        // Redirect non-admin users to the default WordPress 404 template
        global $wp_query;
        $wp_query->set_404();
        status_header( 404 );
        nocache_headers();
        include( get_404_template() );
        exit();
    }
}
add_action( 'bp_template_redirect', 'bp_redirect_admin_profile_to_404' );
  • Participant
    Level: Guru
    Posts: 900
    Tosin on August 9, 2024 at 2:27 pm #53008

    I also think having this in the admin stealth mode plugin would be awesome

  • Keymaster
    Level: Yogi
    (BuddyDev Team)
    Posts: 3115
    Ravi on August 16, 2024 at 6:55 am #53030

    Hello Tosin,

    Please try the following code:

    
add_action( 'bp_template_redirect', function () {

	if ( ! bp_is_user() || bp_is_my_profile() ) {
		return;
	}

	$displayed_user = get_user_by( 'id', bp_displayed_user_id() );
	// this should never happen.
	if ( ! $displayed_user ) {
		return;
	}

	if ( ! in_array( 'administrator', $displayed_user->roles, ) ) {
		return;
	}

	// if we are on admin profile and user is not logged or the logged user is not admin do 404.
	if ( ! is_user_logged_in() || ! in_array( 'administrator', wp_get_current_user()->roles ) ) {
		//add_filter( 'bp_use_theme_compat_with_current_theme', '__return_false' );

		bp_do_404();
	}

}, 1000 );

    Please un-comment the line before bp_do_404 if your theme is not block theme and then give it a try.

    Regards
    Ravi

  • Participant
    Level: Guru
    Posts: 900
    Tosin on August 16, 2024 at 11:58 am #53032

    Thanks for the updated code

    I am using the profile privacy plugin and while using your updated code I am receiving the 404 error correctly but the url is in this format https://site.com/members/mike/visibility-protected/.

    I dont think it’s cool to show the (visibility-protected) slug for admins since it reveals that the admin account is available but just hidden

  • Keymaster
    Level: Yogi
    (BuddyDev Team)
    Posts: 3115
    Ravi on August 19, 2024 at 7:16 am #53037

    Hello Tosin,

    Thank you for the acknowledgement. Please update the setting ‘Protected Profile Policy’ and set it to ‘Redirect to the last visited non protected page’. It will redirect if profile is protected.

    Regards
    Ravi

  • Participant
    Level: Guru
    Posts: 900
    Tosin on August 21, 2024 at 12:05 pm #53049

    Thanks Ravi this is now resolved

  • Keymaster
    Level: Yogi
    (BuddyDev Team)
    Posts: 3115
    Ravi on August 21, 2024 at 1:48 pm #53050

    Thank you for marking it as resolved

The topic ‘ [Resolved] Secure or hide buddypress admin users using 404 error’ is closed to new replies.

This topic is: resolved