Closed Crednib closed 1 year ago
mDisna
commented
1 year ago The directory is simply an iframe, showing the WildApricot directory page. The WA privacy settings are set to only show those fields to logged in WA members.
Logging into WordPress would not log you into WildApricot, and vice-versa.
It is appearing as though it is working when logged in as WP admin because you are likely already logged in to WA on that browser.
Crednib
commented
1 year ago If the client maintains this data visible to members on both sites (eg the Member Directory) - the only solution would be to duplicate the visible to members only fields - make them visible to all - and then use those in the iFrame so it will display on WordPress.
Is that correct?
Crednib
commented
1 year ago I just want to confirm your response above - even though this is a SSO (Single Sign On) - "Logging into WordPress would not log you into WildApricot, and vice-versa."
asirota
commented
1 year ago @mDisna you said "Logging into WordPress would not log you into WildApricot, and vice-versa."
actually the login through the WAP login page should setup a cookie as if you logged into the WildApricot site with the same credentials. That's the point of the plugin and I believe we were serving this cookie. Can you confirm?
mDisna
commented
1 year ago @asirota I know that is the case when redirecting to the WildApricot hosted SSO page, I'll look through the code and do some tests to confirm whether this is possible with the plugin.
asirota
commented
1 year ago In theory the functionality we are doing is identical we just don't bring up the WA hosted SSO page we just validate the credentials through the server API. I was fairly sure we were setting the same cookie after the login and sending those when loading the iframes. Thanks for taking a look through the login code. I believe this is the function
login_email_password() in class-wa-api.php
that sends an API call to get a token with the scope set to 'password' for the current user.
and this call create_user_and_redirect() in class-wa-integration.php calls te login_email_password() but in this call we return the the url that was being loaded with wp_safe_redirect(). At this point I think we should also load the necessary cookie that WA sets that is sent when loading iframes.
asirota
commented
1 year ago We may need to redirect to the WildApricot website temporarily after login to load these cookies. I wonder if that can be done by just loading the home page of the site maybe in an iframe after login.
mDisna
commented
1 year ago The documentation only mentions cookies in relation to their SSO page. My understanding is that websites cannot normally read cookies set by a different server, and the cookies being used are browser cookies - so if the a WA page isn't being loaded in the browser, their server isn't setting a cookie.
mDisna
commented
1 year ago I don't think simply redirecting to the WA site will work, it'll need to be their SSO page. But I'll look in to it further.
mDisna
commented
1 year ago @Crednib which plugin are you using? This is the iframe plugin right? Have you tried the member directory plugin?
asirota
commented
1 year ago Maybe our login screen should simply popup the oAuth screen and prefill the user name and password somehow?
mDisna
commented
1 year ago It wouldn't be possible to pass any data or run any code on that page.
asirota
commented
1 year ago so could we popup the /Sys/Login in an iframe and prefill the email screen ? it works if you put email= as a search arg
https://newpathconsulting.wildapricot.org/sys/login?email=matt@newpathconsulting.com
The login could be a 2 step process
We can call it a 2 factor authorization for security, which it basically is because we need to confirm credentials on the WA site to get their authorization cookies.
mDisna
commented
1 year ago I don't think that workflow would work.
However, would a user normally need to also access a WA restricted page? The NP directory plugin should take care of member-only fields, and for restricted content that can be done within WP.
asirota
commented
1 year ago When you iframe a member directory for example, if the fields have privacy set to member only, the iframe needs to know someone that is a member is logged in to show fields. Or accessing your profile using the /sys/profile widget needs to also know who is logged in.
I know for sure if I frame in a WA login from WA into a WP site and I login then the cookies are set for that member so I think my workflow could work. Try experimenting?
asirota
commented
1 year ago As for the directory plugin it is pretty bare bones in terms of look and feel and Carol prefers the iframed directory since it is already styled and ready to use.
mDisna
commented
1 year ago We would just be asking members to log in twice then. In which case, you would just need to set the WildApricot member directory page to "members-only" and it it will give you the normal WA login and then redirect you.
asirota
commented
1 year ago @mDisna but the content of the iframe needs the WA cookie to render properly. I setup a page on support that frames in the /sys/login widget this is what could be presented after the built in WAP login to set the necessary WA cookies before you continue to go to an iframe with members-only content on it
asirota
commented
1 year ago mDisna
commented
1 year ago You will get that cookie if you just make the member directory page member only. Whenever you try to access a member only page while logged out, you will get the /sys/login page
Crednib
commented
1 year ago The iFrame widget (membership list (directory) is currently on a public page (not in menu).
The Member Directory Widget (set to public view) and displays during admin does not display if I'm logged into the WordPress site (as a MPG member). The widget has no restrictions - displays content while in both WA and WP admin - but not as a logged in WP MPG member.