The Paywall That Wasn't: Debugging a 919-Video Leak on WordPress
A WordPress site experienced a bug where paid members could not access on-demand videos, but it was discovered that the paywall was not protecting the content at all. The issue was caused by a misconfiguration between WishList Member and All-in-One Video Gallery, resulting in 919 videos being publicly accessible. The problem was resolved by implementing a server-side gate before rendering the content.
- ▪The site used a combination of WordPress, WooCommerce, WishList Member, and Vimeo to manage its membership and video content.
- ▪The bug was initially reported as a simple access-check issue, but it was later discovered that the paywall was not functioning at all.
- ▪The fix involved implementing a server-side gate to protect the content before it was rendered.
- ▪The issue was caused by a misconfiguration between WishList Member and All-in-One Video Gallery, which resulted in the content protection not being applied to the videos.
- ▪The site's use of a custom post type for the videos contributed to the issue, as WishList Member's content protection did not automatically apply to the videos.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 126345) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Vicente G. Reyes Posted on Jun 30 • Originally published at vicentereyes.org The Paywall That Wasn't: Debugging a 919-Video Leak on WordPress #wordpress #security #webdev #php The ticket was three sentences long: "Some paid members can't play the on-demand videos. They log in, click a video, and still get told they need a membership. Can you fix it tonight?" I fixed it tonight.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).