Only Admins and the post author can view a post, is it possible? (38 posts)

  1. bcworkz
    Posted 2 years ago #

    Yes, it should be order.php, the matching message confirms it. The only purpose here was so you insert the test code on the right file. The test code reports which file it's running on anyway.

    Yes "request a page" means open it in your browser. Sorry for using jargon, I forget how normal people speak sometimes :( I think the reason "request" is used amongst programmers is that is how the address you type into the browser is seen by the server, the browser is requesting a page from the server. In fact, this request string is available in PHP as $_SERVER['REQUEST_URI']

    I do understand that only order requests (I'm free to use this term now, right? :) ) should require logins. The test code will print out the query object created by any request that causes the order.php template to load. I need to see query objects from both order requests and a few non-order requests in order to identify what is different about the queries. If there are no differences that an be exploited, getting this working gets more complicated.

    And I need the HTML source of the resulting output only because the browser often hides important information and ignores important text organization. You will see the output is not valid HTML at all, so don't be surprised when your header, footer and all other page chrome disappear again. It'll be easily restored by deleting the test code once the data has been gathered.

  2. alisalem
    Posted 2 years ago #

    Doing the above is too TECH for me :D .. I will need more time trying to figure out all of the above. The learning curve at my level is pretty much horizontal lol ..

  3. alisalem
    Posted 2 years ago #

    I have been trying to figure out the above with no positive outcome. I tried to add the code on the top of the code page, but once I request the order page, it's a blank white page. I might be doing it incorrectly thought. I deleted the code and things went back to normal.

    how can I provide you with this: "HTML source of the resulting output"? is it by saving the page as HTML?

    Also "I need to see query objects from both order requests and a few non-order" is this by providing the html as well?

    Sorry, my knowledge on coding is very limited.

  4. bcworkz
    Posted 2 years ago #

    Don't worry about your limited knowledge, we all have to learn at some time. Besides, it's on par with my ability to make stupid coding errors :(

    That's right, the white screen was my fault. Sorry, once again. I'm saying that much too often, I truly regret it. This time it was impossible for me to test the code when I wrote the post, I should have at least warned you. I fear it caused you much more grief than it deserved. Nothing to do now but move on. Here is the corrected code, and tested, as well as I added some formatting to make it easier for you.

    global $wp_query;
    echo "<pre>Template: ".__FILE__."\nRequest: {$_SERVER['REQUEST_URI']} \n\nQuery Object:\n";
    var_dump( $wp_query );

    Place this right below the template name comment closing symbols (below the */ line). This code will output data I need, but will prevent normal template operation, you will only see plain, structured text and maybe a few random images.

    You can now copy/paste directly from the browser page if you like, the pre tags eliminate the need to worry about getting the source version. You can also save the page as .html if you can save it somewhere where I can access it, perhaps a new folder on your server? What ever is easiest for you, I can figure out the rest as long as you provide the links to the data.

    Once you have collected the data for me, delete the code to restore normal operation.

    The code's output is the "query object" I need to see, no extra effort is required for that. Once again as a reminder, I need to see the code's output from one order request that must require login, as well as other page requests using the same template that must not require login.

    If I can identify any difference between the requests, the code will be much easier to maintain. If there is absolutely no difference other than the ID, you will be forced to add an ID to a list anytime you create a page that must not require a login. This would be a real annoyance and a detail easily forgotten, so I very much wish to avoid that situation if at all possible.

    BTW, I again have access to my development environment so I looked at your login page. Changing the label is easy enough. We also need to alter how the form is processed. Fortunately, the page uses the default wp_signon() function, so I know very well how to work with that. I'm quite sure allowing either email or username along with password will be something that can be done.

    We should wait on looking more into this until the order template issue is resolved. You don't need to understand the rest of this, it's more to serve as a reminder to myself. We will hook into the 'wp_authenticate' action fired from wp_signon() before the authentication is actually done. If the username form field is a valid email, we look up the associated username and substitute the actual username for the user email that was provided in the username field. If the email was not found, we leave the field unchanged just in case the username happens to be a valid email.

    There's a very unlikely possibility that someone's username is someone else's valid email in the database, in which case the wrong password hash will be checked. We can avoid this by checking for a username failure first, but I don't think it's worth the extra DB query for such an unlikely scenario. The only result is the person with the username as someone else's email cannot login to their account. Serves them right for using someone else's email as a username!

  5. alisalem
    Posted 2 years ago #

    Haha, no worries, I can't even work properly if I'm away from my own desk ..

    I paste the code on the order.php and below the result:

    Here is the order page output:

    Now, I want paste the code you provided for non-order page, so I paste the code for my site Calculator, and the result here:

    There are normal pages like How To Order that has info on how to order, or contact me page, but I can't find them in the wordpress editor therefore wasn't able to inset the code on them. If those what you need, where can I find the pages to insert the code?

    I think you are right,, we need to finish the order thing first before moving to the username thing. By the way, I would be able to have a test site that does not have any important info, and that you can log into it that you see all the codes instead of pasting here. it would be a test site so even if it's gone, there would be no problem. is this something allowed here?


  6. bcworkz
    Posted 2 years ago #

    Thanks for posting the output, I'm afraid I'm not communicating what I'm looking for well enough. The order.php output is perfect. I'm puzzled by the calculator page though. Is loading the calculator (without diagnostic code) causing the must login message to display? If so, something strange is going on that I'm unsure how to deal with.

    If not, that's a relief! I'm assuming the code on order.php is causing the login message, so placing my diagnostic code on order.php alone should suffice. Placing it on templates that I did not edit may not be that useful. So what I am expecting is with the code only on the order.php template, request any page besides an order page that has been showing the must login message but should not. If order.php is involved, the diagnostic output will appear even if there may be other output above it.

    If there is no diagnostic output, then the cause of the login message must lie elsewhere. The only other file I changed is orders-postes.php, try placing the diagnostic code there and see if you get output.

    If one of those two files is not the cause, tracking down the cause could be very difficult. Accessing your test installation may be the only way to track this down. Members are essentially forbidden from obtaining admin access to other's sites, though plugin authors and well established mods are give some leeway when there does not appear to be an alternative. Discussing such details in a public forum is not a good idea. I use gmail, my username is almost the same as here, except the 'z' is actually an 's'. Even contacting members off forum is against the rules, mainly because it can be used as a way to solicit paid employment. I've made it clear to you and others several times before that I'm not interested in employment. The other reason is off-forum communication denies other users the ability to benefit from any meaningful discussion. I always encourage people that are able to contact me directly to still use the forums for WP related questions so anyone can benefit from the solutions found. But certain things are just not appropriate for public forums.

    Speaking of which, take a look at the first line of the output you posted. If any of those folder names have sensitive information such as your host account username, obfuscate it by replacing some or all of the text with random characters. In theory, the username should not need to be a secret, but I feel better when I don't see my hosting username floating about on the Internet.

  7. alisalem
    Posted 2 years ago #

    Ah, I should have said that on the calculator page, the log in msg was showing and half of the calculator appears below the msg. so I should have probably tested other pages but I was not able to locate the codes for any other page.

    Thanks for clarifying, I have sent you the test site info. I'm hoping this will make it easy to see what's going wrong.


  8. bcworkz
    Posted 2 years ago #

    You're right, it was much easier! I immediately saw that my initial plugin that did not work correctly is still active! Deactivate it and the site should work correctly.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.