You can disregard this – I ended up just deleting this plugin and adding some code to functions.php to hide the admin bar.
Thanks.
I removed the following from lib/font_end_users.php in the plugin folder:
public function restrict_admin_access() {
if (is_admin()) {
$valid_admin_ajax_actions = array('user_avatar_add_photo');
if ($_SERVER['SCRIPT_NAME'] == '/wp-admin/admin-ajax.php' &&
isset($_GET['action']) && in_array($_GET['action'], $valid_admin_ajax_actions)) {
return true;
}
if (!$this->is_logged_in()) {
$this->render_page('not-logged-in');
} else if (!$this->has_admin_access()) {
$this->render_404();
}
}
}
This allows my ajax functions to work but is it safe?
I had the same issue, and came up with a fix.
ralphonz’s answer works of course, but deleting this piece of code won’t restrict the access to the admin any more, which is the whole point of the front end users plugin in the first place.
Instead, I suggest replacing the code with something like this :
public function restrict_admin_access() {
if (is_admin()) {
if (strpos($_SERVER['PHP_SELF'], 'wp-admin/admin-ajax.php')===false) {
if (!$this->is_logged_in()) {
$this->render_page('not-logged-in');
} else if (!$this->has_admin_access()) {
$this->render_404();
}
}
}
}
all ajax calls will be allowed now, so the same question arises : is it safe ?
An other solution would be to identify what actions are sent through ajax by other plugins and manually populate the $valid_admin_ajax_actions array in the original code…
With the same idea, I’ve had to customize the rewrite_admin_url filter as it exits on not logged users before checking for ajax request…
Better yet, these functions should be overridden in your theme, which requires some knowledge : removing original hooks, adding your own, checking for existence of the feu plugin,… but as the chance the plugin gets updated seems very small (last update in 2011 !), this may not be so important.
