WordPress.org

Support

Support » Plugins and Hacks » Hacks » Only Admins and the post author can view a post, is it possible?

Only Admins and the post author can view a post, is it possible?

  • Hello,

    I have a site where my clients click on New Order icon then fill up some form (jquery) and this order will be consider as a post so the orders look like this:

    http://www.mysite.com/order-1
    http://www.mysite.com/order-2
    http://www.mysite.com/order-3
    http://www.mysite.com/order-3

    Now, everyone could see the order details by pasting the links above in their browsers. I want to restrict the post visibility to admins and the client only, I know there’s a way to keep posts password restricted by a password, but I wonder if it’s possible to have only the admin and logged in client see his/her order for example :
    http://www.mysite.com/order-2

    I try to find an available plug in but I could not find any. my question is, is it difficult t make? and how much it would usually cost to make a customized plug in like that.

    Thanks
    A

Viewing 15 replies - 16 through 30 (of 37 total)
  • So no visitors, everyone must log in? That certainly simplifies things 🙂

    I changed orders_postes.php to match orders to user ID instead of email. I anticipated a condition where someone previously ordered as a visitor, then subsequently registered, then tried to view their old order. In this case their user ID will not match the order’s visiting user ID. As long as the order email and user profile emails match, this will still work… I hope. The logic to cover all conditions got a little complicated. Test all possible conditions from your standpoint to ensure things work. I updated the same pastebin paste: http://pastebin.com/CbtMdGrg

    For that page I replaced

    if ( $current_user->user_email != get_post_meta( get_the_ID(), 'order_email', true ) &&
        !current_user_can('manage_options')) continue;

    with this:

    if ( $current_user->user_email != get_post_meta( get_the_ID(), 'order_email', true ) &&
                    2 == get_the_author_meta('ID') && !current_user_can('manage_options')) continue;
            if ( $current_user->ID != get_the_author_meta('ID') && 2 != get_the_author_meta('ID') &&
                    !current_user_can('manage_options')) continue;

    I also changed order.php to display a message if the user is not logged in: “You must be registered and logged in to place orders.” with links to log in and registration pages. The revised page is here:
    http://pastebin.com/7epgb5dz

    I took some liberty and decided that presenting recaptcha to logged in users was not a good idea and so I attempted to remove that element. I can easily reinstate it if need be. Either way, check that the page otherwise works to your satisfaction.

    I still did not change orders_lists.php, I did not see an issue with letting visitors search by email for orders already placed as visitors. I can remove that functionality if need be, but the form that accepts the email input and implies that such functionality is available is not in any of the files you provided.

    FYI about WP_DEBUG. Yes you do want it defined as false on a live site. However, if you ever get a blank white screen, defining it as true will tell you why the white screen error occurred. Even without the white screen, defining as true can be useful when testing new code as warnings and notices are displayed that can help give clues about ways to improve the code even though it is working.

    I appreciate your concern over how much you are asking me to do. I am fine with my commitment to alter files you identify in order to only allow logged in users to see only their own orders. I am also willing to further tweak these files so they function properly in order to achieve that goal. If you want any other added functionality beyond what we discussed, I’ll decide on a case by case basis and let you know when enough is enough.

    That’s awesome, I will be back with with updates on the wknd.

    Thank a lot ..

    Hi @bcworkz

    ,
    Sorry, I was traveling to another city and could not log into my FTP account to update the codes, and I did not remember the passwords for the test site as it’s all saved in my iMac.

    The order visibility now is working great, admins are able to see all post, author can see their order. One thing I’m not sure if it’s easy to fix, when I’m logged in as an author, and paste a link for one of the order ( post )that I did not post ( order ) for example:
    http://www.mysite.com/order-3
    They will only see the header and the footer of the page one above the other ( no even blank space in the middle ), is it possible to write something like ” If this is your order and you can’t see it, please contact the admin”?

    The second part did not seem to work, instead, the whole page is gone and there is only the msg “”You must be registered and logged in to place orders.” as well as the text ( only ) of the footer ( and the social media buttons in the footer). Is this normal? all menu, colors , logos are gone. Can you see any problems in the codes that causes the pages contents to disappear ?

    Thanks for disabling the recaptcha, that was a nice move, I would defiantly have done the same if I could lol.

    Thanks for your support.

    One more thing, when any one fill up the order form and click on Submit, a text msg will appear under the form saying :

    ‘Your order has been submitted, you can view your order from here

    But this does not seem to be the best way, is it possible to have the member to be redirected to the post (order ) page after they click on submit instead of showing a msg? Or even redirected to the home page if it can’t be done to the order page?

    Also, for the form, members can add up as much as they want of form new lines, to add items info in each line. BUT only 31 line of the form will appear in the order page! From the Order.php it seems there is only up to 31 new form line, is it possible to have a the member be able to add only 31 line in each order? If not, is it possible to have a msg pop up saying your can’t add more than 31 items in each order. So, that they don’t spend time entering their items info and at the end only 31 are saved.

    So, once they click on add line after the 31, they won’t be able to add line and a msg will pop out saying you can’t add more than 31 links.

    Sorry if this much to ask, I really appreciate your contribution.

    No worries about the delay, it’s best to avoid accessing your FTP or admin account when traveling unless your using the Internet connection of a friend or family. The usual networks one uses while traveling are not secure at all. Speaking of Internet connections, mine will be intermittent starting a few days from now. I’ll check in when I can, but there may be days when I cannot.

    I added the message when a logged in user tries to access an order that is not theirs. As for the missing CSS, I made an effort to correct this but it’s difficult to do when I cannot test my efforts. I’m sure it is because I’m not providing the correct classes with the messages to trigger the CSS. I copied all the containers from the order page to the message page except for the order data itself, hopefully that does it.

    I made an attempt at redirecting completed orders, but I fear it will make a mess of things. If it does, it’s easy to correct. Find the following code in 2 places on order.php and delete it:

    wp_safe_redirect( get_permalink($post_id) );
    exit;

    The same pastebin files have been updated.

    The order limit issue needs more study. It should be possible to allow for infinite orders if the code was setup more efficiently, but it is not. It would take some major restructuring of the current code to make it efficient. Inefficient does not mean it is bad, just limited in how you can modify it.

    From the code I have, I don’t see how the adding order mechanism works, so I can’t add a pop-up message about the limit. I can maybe add a permanent message somewhere, but not one dependent on how many orders are added. I think that is a poor solution, who wants to keep track of how many orders they added? Or is it obvious?

    I suspect the adding order mechanism is done with javascript. If you can figure out where the add order code actually happens, I might be able to come up with a solution.

    To clarify the order nature, here is the nature of my site. Let’s say you live in Spain, and you want some items from Amazon.com but amazon won’t send those items out of the US. So, I work as a middle man btwn you an amazon, you fill up the order form ( Post ) which has fields ( we will call it line of fields ) for the link, color, size etc, every order you may add up till 31 items ( Lines ).

    After the test, here are the outcomes:

    – If I’m a visitor and click on “make a new order”, the styling problem still exists, here how it looks:
    http://goo.gl/RT6MWh

    Here it’s how it looks when click on New Order when I changed to the original codes:
    http://goo.gl/3M63ak

    When I changes the codes to the original codes, all is back to normal. I should have added that the theme is set up for Arabic Language ( which is Right To Left Language), I mot sure if that matters though. Do you think of any other way to fix this?

    Is there a way to write a conditional code that if the user is signed in, the order fields ( page ) will show up, otherwise, a msg will show up saying you can’t order without registering. I think that what you did, but why would such condition affect the CSS! I think I have a lot to learn.

    – When I updated the Order.php, the form fields disappeared.usually, one line of fields is available, and if the member has many links to be ordered, they can click on Add New Line. ( Actually, they might have been disappeared from last update, not really sure), but I was trying to make an order to see if the page will be redirected, but the fields are missing, and I can’t add more. In order for the order form to be submitted, at least one line of fields should be filled.

    The correct form look like this:
    http://goo.gl/3M63ak

    I can’t paste the link of the form without the line of fields, as you would need to log in as a members to see it since we changed the new ordered for registered users only. I thought if I delete the code below twice in the codes, the fields will appear again, but it did not and the line of fields are still missing. ( that where I thought they could have disappeared from the last update). You see any issue with the codes cause the fields to disappear?

    wp_safe_redirect( get_permalink($post_id) );
    exit;

    I think the wordpress custom fields are utilized in the order from, I’m not really sure how the guy made, but he was saying stuff like he will make it works better using jquery and java scrpit I guess, forgot.

    I thought the order codes actually happen in the codes I provided, since there is 31 blocks of codes, I was wonder why would he need to add 31 blocks of the same codes only with different number!

    As of now, the fix that members can only see their orders, and admins see all work perfectly.

    OK, looks like I made a couple more dumb mistakes. Once again, my apologies. An updated version of order.php is available at the same location: http://pastebin.com/7epgb5dz

    The lack of page chrome was because when I copied the page format for the must be registered message, I did not see that a get_header(); call was part of the package. I’ve corrected that.

    The reason you are not seeing added rows is because I commented out too much javascript when attempting to remove the recaptcha. I’ve reinstated the add row script, so hopefully everything will be working with the latest version. The good part is I found the jQuery code responsible for adding rows! I’ve added an alert box when the row limit is reached.

    I also took the redirect attempts back out, there’s too much I don’t know about this page for me to feel good about that edit and it could be interfering with the page otherwise working. If you want to try placing the redirects back in again once you’ve confirmed everything else is working, the two lines (redirect and exit) go immediately after each occurrence of this line:
    $succee = 'تــم إضافة الطلب بنجاح ,,, يمكنك متابعة حالة وتفاصيل الطلب من <a href="'.get_permalink($post_id).'" >هـــنــا</a>';

    Yes, the 31 blocks of code with different numbers is surprising. It should have been handled with indexed arrays. I guess once he started down this path he was reluctant to change things when he realized it was the wrong approach, so just kept adding blocks with new numbers.

    Changing over to indexed arrays is the only way to allow unlimited rows to be added. Once everything is up and running properly, it may be something to look at doing. In the mean time, the alert box will have to do.

    I hope this latest version has everything working to your satisfaction. If not, it will need to wait a week. I will not have time this week for little more than a quick message here and there.

    Thank you so much, all works perfect now. Restrict post visibility, log-in required to order, and a msg shows up when ordering more than 30 line.

    I will keep to try many other scenario to ensure that all possible scenario are test before I update the original site. I will back up the site, and then change the codes using FTB and php edited by text-wrangler. Is there any thing I should keep in mind before updating the original site beside back-up?

    One more thing if you have the time to look at it, not urgent at all. The developer who made the the site, made a custom log in page, members have to enter their USERNAME and Passwords. Many of the members don’t really remember their username sometime, is it possible to have them sign in using the ( username OR email ) and password? So that they does not have to retrieve their username if they don’t remember it.

    Here is the log in and registration page ( both together )
    http://pastebin.com/ZVAbgHvz

    I assume it should be an easy fix, but I’m not sure though.

    Your support is really appreciated. If I may ask, do you do bigger paid projects or you have a site?

    I have been testing the site and all work great. one small thing, when visitor click on a new order, and the msg show up saying you must be registered to order, there is Log In and Register Now options, how can I link those 2 options to a URL?

    For example Register Now is linked to:
    http://www.mysite.com/register

    and Log in is linked to:
    http://www.mysite.com/login

    I see where I should I add the codes, but where exactly I should add it:

    <h3><b>You must be registered and logged in to place orders.</b></h3>
                                            <?php echo '<a href="' . wp_login_url( get_permalink()) . '" title="Login Page">Login Now</a>';
                                            echo ' | <a href="' . wp_registration_url() . '" title="Registration Page">Register Now</a>'; ?>

    Cheers.

    To alter the login and registration URLs by inserting a hardcoded URL, just replace the PHP code between the double quotes after href= with the required URL. The end result is everything after echo between the single quotes is any valid HTML. For that matter, you could take out the entire PHP block — the <?php ... ?> and all inside and just place whatever HTML you want. The only reason for the PHP was for the WP URLs. Without that need you only need HTML, not PHP.

    As for going live, if you’re satisfied with everything and you have a backup to revert to if necessary, there’s nothing to be concerned about, just do it!

    I pretty much avoid coding for pay, if I’m not being paid, no one can tell me what to do 🙂 Helping people out of the goodness of my heart is more rewarding for me, unfortunately for you, it has limits. I understand your desire to want to continue a relationship once you find someone you like working with. I appreciate your willingness to pay, but I just don’t work that way through this forum. Not to mention it’s against the rules here anyway.

    I think you’re right about the email vs. login thing though. I’d be happy to do that for you once I have access to my development environment again, in a week or so.

    “if I’m not being paid, no one can tell me what to do 🙂 ” lol .. quote of the day .. I do personal training voluntary in my spare time around my community, main reason is above haha ..

    Today, I was surprised to notice that all site pages ( most of them )

    http://goo.gl/Kx9bPI ( this one is a calculator, it’s shown but you can still see the phrase plz sign in )

    http://goo.gl/EqEaYy ( this is where ppl enter their email to see their order, no problem with it )

    but all the information pages like call us, about us, how to order, Q&A etc will have the phrase (Please Login to see the order) e.x :
    http://goo.gl/IYY7gi
    this page will have some info about ordering etc, but a visitor can’t see it now.

    I don’t know how I could not see this earlier .. I thought I covered all possible scenario but did not click on those links.

    Is it possible to restrict this phrase for the posts ( order only ) .. so that a visitor can see the non-orders pages like Q&A etc.

    I’m not really in rush for neither this matter nor the log-in by email and username thing. So, u have all the time.

    Thanks,
    Ali

    Sheesh! It seems there’s always surprises somewhere!

    I’m pretty sure this is an easy fix. We need some way in code to tell the difference between order queries and all other queries. Unless you know the answer to this already, I’ll need you to collect some information. I won’t be able come up with a solution until a I can access my environment again, but you may as well collect the information.

    First of all, confirm which template file is generating this, then insert the following code near the top of that file, right under the comment header.

    global $wp_query;
    echo "Template: __FILE__ \nRequest: $_SERVER['REQUEST_URI'] \n\nQuery Object:\n";
    var_dump( $wp_query );
    die();

    Request an order page and other pages (if any) that must have the login message, then request a few other pages that should not have the message. For each request, post the resulting HTML source in pastebin for me to review. You may run several requests together on a single pastebin page, but please keep the must appear pages separate from the should not appear pages.

    One more question: Are the pages otherwise working correctly without restriction or missing information? In other words, do I just remove the message, or is there other functionality that needs to change?

    The very worst thing that would be required is you would need to compile a list of all page IDs that should not show the message. I hope it will not come to this because anytime you add another such page, you need to update the list. I’ll do my best to avoid this.

    Errrrr, party just started.

    “First of all, confirm which template file is generating this” What do you mean by this? Is it the order page? I thought Order.PHP generates it.

    “Request an order page and other pages” hmmm, request!!? do you mean simply open the page in a browser then copy the HTML codes?

    All other pages are info that’s open for all visitors. I only want to restrict the New order page, and “view my order page”.

    Sorry if my questions seem a bit newbie, I’m a wp newbie .. My coding background at max was couple of programing classes years ago in college.

    By the way, the New Order page show different msg which is you must be registered to make an order etc.

    So, the issue is with the msg that was supposed to be shown when pasting an order link in a browser without being logged in.

    cheers

    Yes, it should be order.php, the matching message confirms it. The only purpose here was so you insert the test code on the right file. The test code reports which file it’s running on anyway.

    Yes “request a page” means open it in your browser. Sorry for using jargon, I forget how normal people speak sometimes 🙁 I think the reason “request” is used amongst programmers is that is how the address you type into the browser is seen by the server, the browser is requesting a page from the server. In fact, this request string is available in PHP as $_SERVER['REQUEST_URI']

    I do understand that only order requests (I’m free to use this term now, right? 🙂 ) should require logins. The test code will print out the query object created by any request that causes the order.php template to load. I need to see query objects from both order requests and a few non-order requests in order to identify what is different about the queries. If there are no differences that an be exploited, getting this working gets more complicated.

    And I need the HTML source of the resulting output only because the browser often hides important information and ignores important text organization. You will see the output is not valid HTML at all, so don’t be surprised when your header, footer and all other page chrome disappear again. It’ll be easily restored by deleting the test code once the data has been gathered.

Viewing 15 replies - 16 through 30 (of 37 total)
  • The topic ‘Only Admins and the post author can view a post, is it possible?’ is closed to new replies.