feat(access-control): add group subscription identifier to metadata (#4697)

* fix(access-control): filter out nonexistent and non-group subs from user results

* chore: update deprecated `filter_enabled_fields` method

* feat(access-control): add Content_Access_Group ESP metadata field

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(access-control): include owned group sub names in Content_Access_Group

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(access-control): add `group` GA4 param for content access groups

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* fix(access-control): address Copilot review on PR #4697

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(access-control): address review blockers + extract shared name helpers

- Restore Institution::user_matches_institution() IP-cache tightening lost in
  trunk merge: only treat the request as uncached when the visitor is the user
  being evaluated (or the cache-bypass cookie is set). Prevents the requestor's
  IP from leaking to non-current users during background metadata sync.
- Guard get_group_labels() institution branch against non-array $value to avoid
  a PHP 8 TypeError when an institution rule has empty/scalar value.
- Decouple Group_Subscription::get_group_subscriptions_for_user() from
  is_group_subscription()'s My-Account/Memberships side effect. Data-layer
  callers must always see the canonical group-enabled state.
- Extract Group_Subscription::get_group_names_for_user() and
  Institution::get_matching_names_for_user() helpers, each with per-request
  static memoization. Use html_entity_decode( ENT_QUOTES | ENT_HTML5 ) so
  names with non-basic entities (&mdash;, &#8217;, etc.) decode cleanly for
  ESP/GA4 transport. Use WooCommerce_Connection::get_active_subscriptions_for_user()
  for the owned path so status + gifting filters live in one place.
- Update Content_Gate metadata get_group_labels() and GoogleSiteKit::get_user_group_names()
  to delegate to the shared helpers.
- GA4 helper now early-returns when ! Reader_Activation::is_user_reader( $user ),
  matching the framing of the surrounding is_reader / is_subscriber params.
- Replace brittle one-shot filter ordering in test_subscription_filter_source
  with an unconditional filter + unregistered product so the strict per-product
  lookup naturally falls through.
- Add regression tests: malformed institution rule values (data provider) and
  cross-user IP leak prevention.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(access-control): address PR #4697 review round 2

T10 — Restore Memberships parity at the My-Account UI layer
- Gate Group_Subscription_MyAccount::inject_member_group_subscriptions() on
  ! Memberships::is_active() so the data-layer decoupling done in 7426ab3
  doesn't re-expose member group subs in the WC subscriptions list on
  Memberships sites. Mirrors the suppression that previously lived inside
  is_group_subscription(), but at the UI layer where it belongs.

T7 — $strict filter contract caveat
- Document on Access_Rules::has_active_subscription() that $strict only
  constrains the built-in ownership / group-membership checks. The
  newspack_access_rules_has_active_subscription filter is always applied;
  filter authors must opt into the 4th $strict arg and respect it, or
  callers relying on $strict (e.g. Content_Gate source labels) may
  misclassify filter-granted access as local ownership.

T8 / T9 — Helper cache lifecycle + ID accessors
- Move Group_Subscription and Institution per-request name caches to
  class-level statics so they can be reset.
- Add public reset_cache() / reset_matching_cache() methods.
- Hook reset on subscription status changes and group-member user-meta
  add/update/delete events so long-running CLI workers don't serve stale
  data across jobs.
- Refactor each helper to a shared get_settings_map_for_user() /
  get_matching_map_for_user() that returns [id => decoded_name]; the
  existing get_*_names_for_user() functions and the new get_*_ids_for_user()
  accessors project from it. Settings are read once per candidate sub.
- Institution cache key now includes get_current_user_id() so the IP-rule
  branch's current-user dependency doesn't produce stale hits.
- Docblock note on the gifting-filter asymmetry between owned and member
  subscription paths.

T11 — Anonymize GA4 group param
- GoogleSiteKit::get_user_group_labels() now emits "Group {sub_id}" /
  "Institution {inst_id}" identifiers instead of display names. The
  unnamed-group fallback synthesizes a name from the owner's billing full
  name, so sending names to GA4 would leak PII for every member of an
  unnamed group. ESP path keeps human-readable names — only GA4 is anonymized.

T14 — reader_data source label
- get_source_labels() returns [ 'reader_data' ] for the reader_data rule
  slug. Previously a reader_data-only access rule yielded Content_Access=Yes
  but empty Content_Access_Source.

T12 — Use get_post_field() for institution title transport
- Replace get_the_title( $inst_id ) so the value going to GA4/ESP isn't
  run through the_title filters (texturization or third-party hooks that
  can introduce entities or markup).

T13 — Document cookie-branch IP cross-attribution caveat
- One-line caveat on IP_Access_Rule::is_cookie_set() disjunct: it still
  treats any non-current $user_id as uncached when the current visitor
  carries the cache-bypass cookie. Narrow pre-existing edge case.

T18 — Direct $resolver(...) invocation
- Drop call_user_func() in Content_Gate::collect_labels(); PHP 7+ invokes
  array callables directly. (Reverts the Copilot autofix in d350ee4.)

T5 / T6 — Test isolation
- Track Institution::create() post IDs in test classes that use them and
  delete them in tear_down(). Institution::create() inserts real posts
  not tracked by $this->factory, so they were leaking into later tests.
- Reset Group_Subscription / Institution caches in set_up and tear_down.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs: improve docblock for get_user_group_labels memoization

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: 3 people

includes/content-gate/class-access-rules.php

@@ -355,11 +355,22 @@ public static function get_subscription_products_options() {
 	 * Whether the user has an active subscription for one of the given products.
 	 * Also checks if the user is a member of a group subscription with the required products.
 	 *
+	 * Note: `$strict` only constrains the built-in ownership / group-membership checks.
+	 * The `newspack_access_rules_has_active_subscription` filter is always applied and
+	 * its return value is the final result, so a third-party filter callback can grant
+	 * access even when `$strict` is true. Filter authors should opt in to the 4th `$strict`
+	 * arg (`accepted_args` >= 4) and respect it — e.g., short-circuit and return
+	 * `$has_subscription` unchanged when `$strict` is true and the access claim isn't
+	 * strictly an owned subscription. Otherwise callers using `$strict` to distinguish
+	 * owner-vs-member access (e.g., `Content_Gate` source labels) may misclassify
+	 * filter-granted access as local ownership.
+	 *
 	 * @param int   $user_id     User ID.
 	 * @param array $product_ids Required product IDs.
+	 * @param bool  $strict      If true, only consider active subscriptions owned by $user_id (ignore group subscription memberships).
 	 * @return bool
 	 */
-	public static function has_active_subscription( $user_id, $product_ids ) {
+	public static function has_active_subscription( $user_id, $product_ids, $strict = false ) {
 		$has_subscription = false;
 
 		// Check user's own subscriptions.
@@ -368,7 +379,7 @@ public static function has_active_subscription( $user_id, $product_ids ) {
 		}
 
 		// Check group subscriptions the user is a member of.
-		if ( ! $has_subscription && function_exists( 'wcs_get_subscription' ) ) {
+		if ( ! $strict && ! $has_subscription && function_exists( 'wcs_get_subscription' ) ) {
 			$group_subscriptions = Group_Subscription::get_group_subscriptions_for_user( $user_id );
 			foreach ( $group_subscriptions as $subscription ) {
 				if ( ! $subscription || ! $subscription->has_status( WooCommerce_Connection::ACTIVE_SUBSCRIPTION_STATUSES ) ) {
@@ -395,8 +406,9 @@ public static function has_active_subscription( $user_id, $product_ids ) {
 		 * @param bool  $has_subscription Whether the user has an active subscription.
 		 * @param int   $user_id          User ID.
 		 * @param array $product_ids      Required product IDs.
+		 * @param bool  $strict           If true, only consider active subscriptions owned by $user_id (ignore group subscription memberships).
 		 */
-		return apply_filters( 'newspack_access_rules_has_active_subscription', $has_subscription, $user_id, $product_ids );
+		return apply_filters( 'newspack_access_rules_has_active_subscription', $has_subscription, $user_id, $product_ids, $strict );
 	}
 
 	/**

includes/content-gate/class-institution.php

@@ -235,6 +235,113 @@ public static function evaluate( $user_id, $institution_ids ) {
 		return false;
 	}
 
+	/**
+	 * Per-request cache of [inst_id => decoded_name] maps.
+	 *
+	 * @var array<string,array<int,string>>
+	 */
+	private static $names_cache = [];
+
+	/**
+	 * Reset the per-request matching-names cache.
+	 *
+	 * Tests, CLI workers, and invalidation hooks call this to bust the memoization in
+	 * `get_matching_names_for_user()` / `get_matching_ids_for_user()`. Distinct from
+	 * `invalidate_cache()`, which clears the underlying institutions transient.
+	 */
+	public static function reset_matching_cache() {
+		self::$names_cache = [];
+	}
+
+	/**
+	 * Get the sorted, deduplicated names of institutions whose rules a user matches.
+	 *
+	 * Memoized per request via {@see self::get_matching_map_for_user()} — see that helper
+	 * for cache scope, the IP/cookie context dependency, and invalidation.
+	 *
+	 * @param int        $user_id            User ID.
+	 * @param array|null $institution_filter Optional list of institution post IDs. If non-empty, only
+	 *                                       institutions whose ID is in the list are considered.
+	 *                                       Pass null or an empty array to scan every cached institution.
+	 *
+	 * @return string[] Sorted, deduplicated institution names.
+	 */
+	public static function get_matching_names_for_user( $user_id, $institution_filter = null ) {
+		$map   = self::get_matching_map_for_user( $user_id, $institution_filter );
+		$names = array_values( array_unique( array_values( $map ) ) );
+		sort( $names, SORT_NATURAL | SORT_FLAG_CASE );
+		return $names;
+	}
+
+	/**
+	 * Get the IDs of institutions whose rules a user matches.
+	 *
+	 * Returns institution post IDs. Shares the per-request cache with
+	 * {@see self::get_matching_names_for_user()}. Suitable for callers that want a stable,
+	 * non-PII identifier (e.g., GA4 anonymized labels) and don't need the display name.
+	 *
+	 * @param int        $user_id            User ID.
+	 * @param array|null $institution_filter Optional list of institution post IDs (same semantics
+	 *                                       as {@see self::get_matching_names_for_user()}).
+	 *
+	 * @return int[] Sorted institution post IDs.
+	 */
+	public static function get_matching_ids_for_user( $user_id, $institution_filter = null ) {
+		$ids = array_keys( self::get_matching_map_for_user( $user_id, $institution_filter ) );
+		sort( $ids, SORT_NUMERIC );
+		return $ids;
+	}
+
+	/**
+	 * Build the [inst_id => decoded_name] map for the user, memoized per request.
+	 *
+	 * Cache key includes `get_current_user_id()` because `user_matches_institution()`'s IP
+	 * branch is context-dependent on the current visitor (see the comment in that method).
+	 * Without that the same `$user_id` could legitimately resolve to different sets across
+	 * requests in a long-running worker that swaps the current user.
+	 *
+	 * IDs are read with `get_post_field( 'post_title', ... )` rather than `get_the_title( ... )`
+	 * so the value going to GA4/ESP is a raw post title, not one that's been through
+	 * `the_title` filters (texturization, third-party plugins) that can introduce entities
+	 * or markup.
+	 *
+	 * @param int        $user_id            User ID.
+	 * @param array|null $institution_filter Optional list of institution post IDs.
+	 *
+	 * @return array<int,string> Map of institution post ID to decoded post title.
+	 */
+	private static function get_matching_map_for_user( $user_id, $institution_filter = null ) {
+		$user_id = (int) $user_id;
+
+		// Normalize the filter so [], null, and unsorted/duplicate inputs share a cache key.
+		$normalized_filter = is_array( $institution_filter ) && ! empty( $institution_filter )
+			? array_values( array_unique( array_map( 'absint', $institution_filter ) ) )
+			: null;
+		if ( null !== $normalized_filter ) {
+			sort( $normalized_filter, SORT_NUMERIC );
+		}
+		// Include the current user in the cache key because the IP-rule branch of
+		// user_matches_institution() short-circuits when $user_id !== get_current_user_id().
+		$cache_key = $user_id . '|' . get_current_user_id() . '|' . ( null === $normalized_filter ? '' : implode( ',', $normalized_filter ) );
+		if ( isset( self::$names_cache[ $cache_key ] ) ) {
+			return self::$names_cache[ $cache_key ];
+		}
+
+		$map = [];
+		foreach ( self::get_cached_institutions() as $inst_id => $rules ) {
+			$inst_id = (int) $inst_id;
+			if ( null !== $normalized_filter && ! in_array( $inst_id, $normalized_filter, true ) ) {
+				continue;
+			}
+			if ( self::user_matches_institution( $user_id, $rules ) ) {
+				$map[ $inst_id ] = html_entity_decode( (string) \get_post_field( 'post_title', $inst_id ), ENT_QUOTES | ENT_HTML5, 'UTF-8' );
+			}
+		}
+
+		self::$names_cache[ $cache_key ] = $map;
+		return $map;
+	}
+
 	/**
 	 * Check if a user matches an institution's rules (OR logic).
 	 *
@@ -254,12 +361,22 @@ public static function user_matches_institution( $user_id, $rules, $uncached = f
 
 		if ( ! empty( $rules['ip_range'] ) ) {
 			// IP evaluation is page-cache-safe only when the response would be uncached anyway:
-			// the caller flagged it as such, the visitor is logged in, or the visitor carries
-			// the IP-access bypass cookie. A first-time anonymous on-campus visitor landing
-			// directly on a gated post matches none of these and will see the gate — they must
-			// first complete the IP check at /institutional-access (or ?institutional-access=1)
-			// to set the cookie before subsequent gated requests can evaluate their IP.
-			$is_uncached = $uncached || ! empty( $user_id ) || IP_Access_Rule::is_cookie_set();
+			// the caller flagged it as such, the *current visitor* is logged in (so the IP we
+			// would read is theirs), or the visitor carries the IP-access bypass cookie. We
+			// require $user_id === get_current_user_id() to avoid attributing the requestor's
+			// IP to a different user during background metadata sync (admin/cron/webhook). A
+			// first-time anonymous on-campus visitor landing directly on a gated post matches
+			// none of these and will see the gate — they must first complete the IP check at
+			// /institutional-access (or ?institutional-access=1) to set the cookie before
+			// subsequent gated requests can evaluate their IP.
+			//
+			// Caveat: the IP_Access_Rule::is_cookie_set() disjunct accepts any non-current
+			// $user_id when the *current visitor* carries the cache-bypass cookie, so a
+			// cookie-bearing on-campus visitor can still cause the current request's IP to
+			// be matched against another user's institution range. This is a narrow,
+			// pre-existing edge case (the cookie is only set after the visitor has already
+			// passed an institutional-access check on this site).
+			$is_uncached = $uncached || ( ! empty( $user_id ) && (int) $user_id === get_current_user_id() ) || IP_Access_Rule::is_cookie_set();
 			if ( $is_uncached && IP_Access_Rule::ip_matches_ranges( IP_Access_Rule::get_visitor_ip(), $rules['ip_range'] ) ) {
 				return true;
 			}

includes/plugins/class-teams-for-memberships.php

@@ -13,6 +13,7 @@
 use Newspack\Reader_Activation\Sync\Woocommerce as Sync_WooCommerce;
 use Newspack\Reader_Activation\Sync\Metadata as Sync_Metadata;
 use Newspack\Reader_Activation\Contact_Sync;
+use Newspack\Reader_Activation\Integrations;
 
 /**
  * Main class.
@@ -187,7 +188,11 @@ public static function handle_esp_sync_contact( $contact ) {
 			return $contact;
 		}
 
-		$filtered_enabled_fields = Sync_Metadata::filter_enabled_fields( [ 'woo_team' ] );
+		$esp = Integrations::get_integration( 'esp' );
+		if ( ! $esp ) {
+			return $contact;
+		}
+		$filtered_enabled_fields = $esp->filter_enabled_outgoing_fields( [ 'woo_team' ] );
 
 		if ( empty( $contact['email'] ) ) {
 			return $contact;

includes/plugins/google-site-kit/class-googlesitekit.php

@@ -260,6 +260,14 @@ function( $category ) {
 		// If reader has any currently active non-donation subscriptions.
 		$params['is_subscriber'] = empty( $reader_data['active_subscriptions'] ) ? 'no' : 'yes';
 
+		// Content access groups: anonymized identifiers for the user's active group
+		// subscriptions and matching institutions. See get_user_group_labels() for
+		// why we send IDs to GA4 rather than the human-readable names.
+		if ( Content_Gate::is_newspack_feature_enabled() ) {
+			$group_labels    = self::get_user_group_labels( $current_user );
+			$params['group'] = empty( $group_labels ) ? 'none' : implode( ', ', $group_labels );
+		}
+
 		/**
 		 * Filters the custom parameters passed to GA4.
 		 *
@@ -268,6 +276,48 @@ function( $category ) {
 		return apply_filters( 'newspack_ga4_custom_parameters', $params );
 	}
 
+	/**
+	 * Build the GA4 `group` parameter value for a user.
+	 *
+	 * The value is a sorted, comma-delimited list of anonymized identifiers for
+	 * active group subscriptions the user owns or is a member of, plus institutions
+	 * whose rules the user matches via any means.
+	 *
+	 * We emit anonymized IDs (`Group {sub_id}`, `Institution {inst_id}`) rather than
+	 * publisher-facing display names because the unnamed-group fallback in
+	 * `Group_Subscription_Settings` synthesizes a name from the owner's billing full
+	 * name — sending that to GA4 would leak PII for every member of an unnamed group.
+	 * The ESP path keeps the human-readable names; only the GA4 surface is anonymized.
+	 *
+	 * Both lookups are delegated to per-request-memoized helpers in `Group_Subscription`
+	 * and `Institution`, so repeat calls within the same request are cheap. Memoization
+	 * is deliberately request-scoped because the institution branch is per-visitor.
+	 *
+	 * @param \WP_User $user The user to inspect.
+	 * @return string[] Sorted, deduplicated anonymized labels.
+	 */
+	private static function get_user_group_labels( $user ) {
+		if ( ! $user || ! $user->ID ) {
+			return [];
+		}
+		// Match the framing of the surrounding params (`is_reader`, `is_subscriber`):
+		// only attribute groups to actual readers, not admins/editors.
+		if ( ! Reader_Activation::is_user_reader( $user ) ) {
+			return [];
+		}
+		$user_id = (int) $user->ID;
+
+		$labels = [];
+		foreach ( Group_Subscription::get_group_ids_for_user( $user_id ) as $sub_id ) {
+			$labels[] = 'Group ' . $sub_id;
+		}
+		foreach ( Institution::get_matching_ids_for_user( $user_id ) as $inst_id ) {
+			$labels[] = 'Institution ' . $inst_id;
+		}
+		sort( $labels, SORT_NATURAL | SORT_FLAG_CASE );
+		return $labels;
+	}
+
 	/**
 	 * Filter the GA config to add custom parameters.
 	 *

includes/plugins/woocommerce-subscriptions/group-subscription/class-group-subscription-myaccount.php

@@ -284,6 +284,13 @@ public static function inject_member_group_subscriptions( $subscriptions, $user_
 		if ( ! function_exists( 'is_account_page' ) || ! \is_account_page() ) {
 			return $subscriptions;
 		}
+		// Don't add Group Subscription features to My Account when Woo Memberships
+		// is active. TODO: Remove this once Access Control is fully released.
+		// Mirrors the suppression that used to live in Group_Subscription::is_group_subscription(),
+		// preserved here at the UI layer now that data-layer callers always see the canonical state.
+		if ( Memberships::is_active() ) {
+			return $subscriptions;
+		}
 		$existing_ids        = array_keys( $subscriptions );
 		$group_subscriptions = Group_Subscription::get_group_subscriptions_for_user( $user_id );
 		foreach ( $group_subscriptions as $group_subscription ) {