How to bypass XenForo permission for a single page?

[RobinHood]

I'm working on a member only site for a friend. All registrations must be manually approved so he can assign them to specific usergroups before they get access to the site.

So what I've done is removed the 'View' permission for the 'Registered' usergroup and required all members be manually approved.

This means people can register, the admin then assigns them to the correct usergroups so they have the correct permissions when they buy a membership, and approves the account.

When the account is approved they can view the account/upgrades page, and they then need to purchase a membership to view the full site.

The problem is that while revoking the view permission locks down the site until they buy a membership, it also locks down the stripe checkout page, so they can't actually buy an upgrade 🙈

I've looked in templates:

payment_initiate_stripe
account_upgrades

But I can't see a permission check, can anyone please advise on how I can sidestep the permission for that page so users can buy an upgrade?

Thanks

 

[Adam]

Probably best off using an add-on: [AddonFlare] Paid Registrations

 

[RobinHood]

I've looked at that, but I don't want to use a 3rd party plugin if I don't have to, and this seems to be the only sticking point to getting this workflow he requested to work.

That add on seems to require people to pay when they sign up, and my friend doesn't want people to be able to pay until he's had a chance to look over their account info and approve them, also because some people may come to a free offline session before signing up online, but he doesn't want them to have access to the content on the site unless they've paid.

I think I'd still run into the same issue with that add on anyway. As even if I had a free usergroup, they'd still need the view permission to be revoked to lock down the site until they buy an upgrade, and then I'm back in the same boat.

I really just need to understand where the permission check is happening so I can allow the user to checkout even if the rest of the site is locked down.

 

[Adam]

I've looked at that, but I don't want to use a 3rd party plugin if I don't have to, and this seems to be the only sticking point to getting this workflow he requested to work.

That add on seems to require people to pay at when they sign up, and my friend doesn't want people to be able to pay until he's had a chance to look over their account info and approve them, also because some people may come to a free offline session before signing up online, but he doesn't want them to have access to the content on the site unless they've paid.

I think I'd still run into the same issue with that add on anyway. As even if I had a free usergroup, they'd still need the view permission to be revoked to lock down the site until they buy an upgrade, and then I'm back in the same boat.

I really just need to understand where the permission check is happening so I can allow the user to checkout even if the rest of the site is locked down.

Could you just set the node permissions individually leaving the account pages in tact?

 

[RobinHood]

Possibly, and I have thought of that, but it's not a very scalable solution, and prone to exposing data down the line if we add more nodes and forget to lock them down. A safer route (and faster and simpler for someone who knows how to do it I bet) would be to stick with locking the whole site down, but figuring out a way to grant permission to the checkout page.

 

[Adam]

Possibly, and I have thought of that, but it's not a very scalable solution, and prone to exposing data down the line if we add more nodes and forget to lock them down. A safer route (I imagine) would be to stick with locking the whole site down, but figuring out a way to grant permission to the checkout page.

Sure. I figure they user permissions are done at a low level in the routes file so you’ll need an add-on (either prebuilt or something custom) or built in solution. I can’t imagine they’re on a per template basis as this introduces the same kind of security problems you were worried about.

I think we and @JoyFreak are the only XenForo users on here so maybe someone got a better idea on their forums as well! 😄

 

[RobinHood]

Sure. I figure they user permissions are done at a low level in the routes file so you’ll need an add-on (either prebuilt or something custom) or built in solution.

Yeah, I figured as much, which is why I'm hoping someone who understands that might be willing to advise and explain which files to look at so I can understand how it works.

 

[Adam]

Yeah, I figured as much, which is why I'm hoping someone who understands that might be willing to advise and explain which files to look at so I can understand how it works.

They’ll be in the core files so you won’t want to edit those as it’ll be overwritten on next update.

You could use the template conditionals in the page_container template to hide all content apart from your selected pages but you’d also need to do something about RSS feeds and such which will expose your content.

 

[RobinHood]

Yeah, not really bothered about RSS feeds, just viewing premium content and engaging with the community.

Ended up just going through and locking everything down node by node using permissions for now, I think that'll do.