For the longest time I was under the belief that wp_ajax_nopriv functions on non-logged-in users while wp_ajax only fires for logged in users. Recently I noticed that I am able to call functions I should not be able to so I went to have a look in the docs and here is what I found:
This hook is functionally the same as wp_ajax_(action), however it is used to handle AJAX requests on the front-end for unauthenticated users, i.e. when is_user_logged_in() returns false.
It then goes on to state:
This hook will not fire for authenticated users, i.e. when is_user_logged_in() returns true. To handle
both unauthenticated and authenticated users
, also use wp_ajax_(action).
So then I went to https://codex.wordpress.org/Plugin_API/Action_Reference/wp_ajax_(action) where it states:
- wp_ajax_ hook only fires for logged-in users
. If you need to also listen for Ajax requests that don’t come from logged-in users, you need to use wp_ajax_nopriv
So now I am confused… One page links me to a page that says the function on that page will work for both logged in and logged out users… but when I go there it says it only works for logged in users and sends me back to the page I just came from telling me that that is where I will find the function to handle people who are not logged in.
The obvious question here is “So which one is right?” but unfortunately the fact that my logged out users can successfully run actions linked with wp_ajax_ kinda answers that question for me.
So now I am left with trying to find out another way to make sure only logged in users can call functions meant for them (apart from doing an “if is_user_logged_in” test inside every single function). I will find a way around it but that text on those two pages that link back and forth between each other definitely needs to get it’s story straight 🙁
The page I need help with: [log in to see the link]
- The topic ‘Contradicting text in the documentation’ is closed to new replies.