fix(content-gate): prevent metering from bypassing account verification requirement#4459
Merged
miguelpeixe merged 2 commits intoFeb 10, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a security issue where logged-in metering would bypass the account verification requirement. The fix adds a check to prevent metering from allowing access when the gate requires account verification but the reader has not verified their account.
Changes:
- Added a new
requires_account_verification()method to check if a gate requires account verification - Added a verification check in the metering logic to bail out when verification is required but not completed
- Removed unused code (priority variable and comment)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| includes/content-gate/class-content-gate.php | Adds a helper method to check if account verification is required for a gate |
| includes/content-gate/class-metering.php | Implements the verification check in logged-in metering logic and removes unused code |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
miguelpeixe
added
the
[Status] Needs Review
dkoo
approved these changes
Feb 9, 2026
Contributor
dkoo
left a comment
dkoo
left a comment
There was a problem hiding this comment.
Works! Tests look good too.
github-actions
Bot
added
[Status] Approved
miguelpeixe
deleted the
fix/content-gate-require-verification-metering
branch
|
Hey @miguelpeixe, good job getting this PR merged! 🎉 Now, the Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label. If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label. Thank you! ❤️ |
matticbot
pushed a commit
that referenced
this pull request
Feb 19, 2026
# [6.33.0-alpha.1](v6.32.0...v6.33.0-alpha.1) (2026-02-19) ### Bug Fixes * add bock theme check before switching templates to prevent warnings ([#4412](#4412)) ([dfb5b63](dfb5b63)) * add check for my account before switching error notice ([#4484](#4484)) ([0cb3ae8](0cb3ae8)) * add fallback selector for the content gate in block theme ([#4431](#4431)) ([dd0b2b1](dd0b2b1)) * **avatar:** show placeholder for text-only custom bylines in editor ([#4456](#4456)) ([56d3278](56d3278)) * **content-gate:** create gate layout with 'publish' status ([#4483](#4483)) ([108215a](108215a)) * **content-gate:** prevent metering from bypassing account verification requirement ([#4459](#4459)) ([90aed19](90aed19)) * **my-account:** hide payment method dropdown if only has one child and is disabled ([#4472](#4472)) ([6e3c3f5](6e3c3f5)) * **my-account:** missing padding on labels ([#4479](#4479)) ([6c6d183](6c6d183)) * tweak inline gate styles for block theme ([#4445](#4445)) ([d867a53](d867a53)) ### Features * **content-gating:** new UI for adding/editing content gates ([#4474](#4474)) ([a193ecc](a193ecc)) * **data-events:** handler retry and ActionScheduler support ([#4469](#4469)) ([c997f38](c997f38)) * integrations - rename classes and move can_sync ([#4451](#4451)) ([877ce4f](877ce4f)) * integrations barebones ([#4433](#4433)) ([79bf9a7](79bf9a7)) * **my-account:** block theme styles ([#4430](#4430)) ([1629465](1629465)) * **my-account:** improve navigation on small screens ([#4471](#4471)) ([3404a66](3404a66)) * **newspack-components:** add divider component ([#4462](#4462)) ([f080d72](f080d72))
|
🎉 This PR is included in version 6.33.0-alpha.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
matticbot
pushed a commit
that referenced
this pull request
Mar 2, 2026
# [6.34.0-alpha.1](v6.33.0...v6.34.0-alpha.1) (2026-03-02) ### Bug Fixes * add bock theme check before switching templates to prevent warnings ([#4412](#4412)) ([dfb5b63](dfb5b63)) * add check for my account before switching error notice ([#4484](#4484)) ([0cb3ae8](0cb3ae8)) * add fallback selector for the content gate in block theme ([#4431](#4431)) ([dd0b2b1](dd0b2b1)) * **avatar:** show placeholder for text-only custom bylines in editor ([#4456](#4456)) ([56d3278](56d3278)) * **content-gate:** create gate layout with 'publish' status ([#4483](#4483)) ([108215a](108215a)) * **content-gate:** prevent metering from bypassing account verification requirement ([#4459](#4459)) ([90aed19](90aed19)) * **my-account:** hide payment method dropdown if only has one child and is disabled ([#4472](#4472)) ([6e3c3f5](6e3c3f5)) * **my-account:** missing padding on labels ([#4479](#4479)) ([6c6d183](6c6d183)) * tweak inline gate styles for block theme ([#4445](#4445)) ([d867a53](d867a53)) ### Features * **content-gating:** new UI for adding/editing content gates ([#4474](#4474)) ([a193ecc](a193ecc)) * **data-events:** handler retry and ActionScheduler support ([#4469](#4469)) ([c997f38](c997f38)) * integrations - rename classes and move can_sync ([#4451](#4451)) ([877ce4f](877ce4f)) * integrations barebones ([#4433](#4433)) ([79bf9a7](79bf9a7)) * **my-account:** block theme styles ([#4430](#4430)) ([1629465](1629465)) * **my-account:** improve navigation on small screens ([#4471](#4471)) ([3404a66](3404a66)) * **newspack-components:** add divider component ([#4462](#4462)) ([f080d72](f080d72))
|
🎉 This PR is included in version 6.34.0-alpha.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
matticbot
pushed a commit
that referenced
this pull request
Mar 2, 2026
# [6.34.0](v6.33.0...v6.34.0) (2026-03-02) ### Bug Fixes * add bock theme check before switching templates to prevent warnings ([#4412](#4412)) ([dfb5b63](dfb5b63)) * add check for my account before switching error notice ([#4484](#4484)) ([0cb3ae8](0cb3ae8)) * add fallback selector for the content gate in block theme ([#4431](#4431)) ([dd0b2b1](dd0b2b1)) * **avatar:** show placeholder for text-only custom bylines in editor ([#4456](#4456)) ([56d3278](56d3278)) * **content-gate:** create gate layout with 'publish' status ([#4483](#4483)) ([108215a](108215a)) * **content-gate:** prevent metering from bypassing account verification requirement ([#4459](#4459)) ([90aed19](90aed19)) * **my-account:** hide payment method dropdown if only has one child and is disabled ([#4472](#4472)) ([6e3c3f5](6e3c3f5)) * **my-account:** missing padding on labels ([#4479](#4479)) ([6c6d183](6c6d183)) * tweak inline gate styles for block theme ([#4445](#4445)) ([d867a53](d867a53)) ### Features * **content-gating:** new UI for adding/editing content gates ([#4474](#4474)) ([a193ecc](a193ecc)) * **data-events:** handler retry and ActionScheduler support ([#4469](#4469)) ([c997f38](c997f38)) * integrations - rename classes and move can_sync ([#4451](#4451)) ([877ce4f](877ce4f)) * integrations barebones ([#4433](#4433)) ([79bf9a7](79bf9a7)) * **my-account:** block theme styles ([#4430](#4430)) ([1629465](1629465)) * **my-account:** improve navigation on small screens ([#4471](#4471)) ([3404a66](3404a66)) * **newspack-components:** add divider component ([#4462](#4462)) ([f080d72](f080d72))
|
🎉 This PR is included in version 6.34.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
All Submissions:
Changes proposed in this Pull Request:
The logged-in metering strategy only checks whether the user is logged in to implement its logic, which can bypass the gate's verification requirement.
This PR adds a check to bail out metering when the gate requires verification, and the reader is not verified.
Also introduces unit tests to metering.
How to test the changes in this Pull Request:
Other information: