If you are using the [membership] shortcode and don’t specify any levels, the code for membership shortcode has no levels to check and just returns has_access. This means that unconfirmed email users (as well as unapproved users in the Approvals Add On) can see the content of the [membership] shortcode if no levels are set.
The workaround right now is to specify all level IDs in your membership shortcode, so rather than:
[membership] stuff. [/membership]
The user must do:
[membership levels="1,2,3,4,5"] stuff [/membership]
Here is the code in core PMPro: https://github.com/strangerstudios/paid-memberships-pro/blob/dev/shortcodes/membership.php#L46 where if $levels is false, just return access.
The filter here in Email Confirmation Add On https://github.com/strangerstudios/pmpro-email-confirmation/blob/dev/pmpro-email-confirmation.php#L169-L172 has no levels to check so just returns true.
I do not know if this is a core fix or a fix in this Add On. If $levels is empty, could core just pass ALL level IDs through the filter? That is the assumption of the code anyway - no levels means presence of ANY level (all IDs).
An alternative for the Email Confirmation Add On to have a separate filter for https://github.com/strangerstudios/paid-memberships-pro/blob/dev/shortcodes/membership.php#L84
If you are using the [membership] shortcode and don’t specify any levels, the code for membership shortcode has no levels to check and just returns has_access. This means that unconfirmed email users (as well as unapproved users in the Approvals Add On) can see the content of the [membership] shortcode if no levels are set.
The workaround right now is to specify all level IDs in your membership shortcode, so rather than:
[membership] stuff. [/membership]The user must do:
[membership levels="1,2,3,4,5"] stuff [/membership]Here is the code in core PMPro: https://github.com/strangerstudios/paid-memberships-pro/blob/dev/shortcodes/membership.php#L46 where if $levels is false, just return access.
The filter here in Email Confirmation Add On https://github.com/strangerstudios/pmpro-email-confirmation/blob/dev/pmpro-email-confirmation.php#L169-L172 has no levels to check so just returns true.
I do not know if this is a core fix or a fix in this Add On. If $levels is empty, could core just pass ALL level IDs through the filter? That is the assumption of the code anyway - no levels means presence of ANY level (all IDs).
An alternative for the Email Confirmation Add On to have a separate filter for https://github.com/strangerstudios/paid-memberships-pro/blob/dev/shortcodes/membership.php#L84