WordPress.org

Ready to get started?Download WordPress

Forums

Front-End Users
Ajax calls being blocked for anonymous users (4 posts)

  1. jvanpuy
    Member
    Posted 1 year ago #

    I have another plugin installed which has AJAX calls for anonymous (not logged in) users. The plugin doesn't work when a user is not logged in but it does work when the user is logged in. When I disable the "front-end-users" plugin my other plugin works properly for anonymous users.

    Do you know what might be causing the conflict? Basically I think I need to allow anonymous Ajax calls for the "front-end-users" plugin.

    Thanks.

    http://wordpress.org/extend/plugins/front-end-users/

  2. jvanpuy
    Member
    Posted 1 year ago #

    You can disregard this - I ended up just deleting this plugin and adding some code to functions.php to hide the admin bar.

    Thanks.

  3. ralphonz
    Member
    Posted 1 year ago #

    I removed the following from lib/font_end_users.php in the plugin folder:

    public function restrict_admin_access() {
    		if (is_admin()) {
    			$valid_admin_ajax_actions = array('user_avatar_add_photo');
    			if ($_SERVER['SCRIPT_NAME'] == '/wp-admin/admin-ajax.php' &&
    				isset($_GET['action']) && in_array($_GET['action'], $valid_admin_ajax_actions)) {
    					return true;
    			}
    			if (!$this->is_logged_in()) {
    				$this->render_page('not-logged-in');
    			} else if (!$this->has_admin_access()) {
    				$this->render_404();
    			}
    		}
    	}

    This allows my ajax functions to work but is it safe?

  4. KimTasker
    Member
    Posted 5 months ago #

    I had the same issue, and came up with a fix.
    ralphonz's answer works of course, but deleting this piece of code won't restrict the access to the admin any more, which is the whole point of the front end users plugin in the first place.

    Instead, I suggest replacing the code with something like this :

    public function restrict_admin_access() {
       if (is_admin()) {
          if (strpos($_SERVER['PHP_SELF'], 'wp-admin/admin-ajax.php')===false) {
             if (!$this->is_logged_in()) {
    	    $this->render_page('not-logged-in');
    	 } else if (!$this->has_admin_access()) {
    	    $this->render_404();
    	 }
          }
       }
    }

    all ajax calls will be allowed now, so the same question arises : is it safe ?
    An other solution would be to identify what actions are sent through ajax by other plugins and manually populate the $valid_admin_ajax_actions array in the original code...

    With the same idea, I've had to customize the rewrite_admin_url filter as it exits on not logged users before checking for ajax request...

    Better yet, these functions should be overridden in your theme, which requires some knowledge : removing original hooks, adding your own, checking for existence of the feu plugin,... but as the chance the plugin gets updated seems very small (last update in 2011 !), this may not be so important.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.