kylephillips / favorites

Simple and flexible favorite buttons for any WordPress post type.
https://favoriteposts.com
224 stars 85 forks source link

Doesn't work when dashboard access removed #134

Closed geraldo closed 4 years ago

geraldo commented 4 years ago

Everything works fine with the default configuration and my wordpress subscribers can make favorites. But when I remove their dashboard access, the can't do favorites any more.

I use the following code to remove dashboard access:

add_action('init', 'remove_dashboard_access');
function remove_dashboard_access() {
    if (is_admin() && strpos($_SERVER['PHP_SELF'], '/wp-admin/') !== false && current_user_can('subscriber')) {
        wp_redirect(home_url());
        exit;
    }
}

Why does making favorites need dashboard access?

Hasan0ff commented 4 years ago

remove && current_user_can('subscriber')

Hasan0ff commented 4 years ago

moreover, the second part, is disabling access to everything within /wp-admin/ folder. You gotta make sure that admin-ajax.php which is used to add, remove favorites is accessible too

geraldo commented 4 years ago

I want admins to have dashboard access, that's why I limit it to current_user_can('subscriber'). So the point is that the plugin needs some files from /wp-admin/ folder, would be great to know which. I tried the following, but still without success:

if ($_SERVER['PHP_SELF'] == '/wp-admin/async-upload.php' || $_SERVER['PHP_SELF'] == '/wp-admin/admin-ajax.php') {
        return true;
} 
else if (is_admin() && current_user_can('subscriber')) {
    wp_redirect(home_url());
    exit;
}
Hasan0ff commented 4 years ago

I want admins to have dashboard access, that's why I limit it to current_user_can('subscriber'). So the point is that the plugin needs some files from /wp-admin/ folder, would be great to know which. I tried the following, but still without success:

if ($_SERVER['PHP_SELF'] == '/wp-admin/async-upload.php' || $_SERVER['PHP_SELF'] == '/wp-admin/admin-ajax.php') {
        return true;
} 
else if (is_admin() && current_user_can('subscriber')) {
  wp_redirect(home_url());
      exit;
}

this is the logic. of if else and elseif if (something) {do this} else {do that} elseif {none of the above but this instead}

you are doing if then elseif which is mistake in itself.

moreover, on second part you are telling that when it is_admin (user is administrator) or a subscriber then redirect to home_url. that is wrong.

by the way, there is nothing wrong with people being able to access dashboard. What I would recommend you is that to use a function to redirect everyone to the home page after login. then use another function to hide the dashboard from everyone.

geraldo commented 4 years ago

Here is the way to remove dashboard access and still have favorite posts working:

add_action('init', 'remove_dashboard_access');
function remove_dashboard_access() {
    if ( is_admin() ) {

        if (defined( 'DOING_AJAX' ) && DOING_AJAX )
            return;

        if (strpos( $_SERVER[ 'REQUEST_URI' ], 'wp-admin/admin-ajax.php' ) !== false)
            return;

        if (strpos( $_SERVER[ 'REQUEST_URI' ], 'wp-admin/media-upload.php' ) !== false)
            return;

            if (strpos( $_SERVER[ 'REQUEST_URI' ], 'wp-admin/async-upload.php' ) !== false)
                return;

        // Remove backend access for subscribers
        if ( !current_user_can('edit_posts') ) {
            wp_redirect( home_url() );
            exit;
        }
    }
}