Restricting Permissions In WordPress Multisite Dashboard - wordpress

I created a WordPress Network and for the most part I have been able to gate access to the backend perfectly using a plugin called "User Role Editor Pro" to modify access based on user role.
The problem is I cannot figure out what the permissions should be for the following navigation items: "
Dashboard > My Sites
Dashboard > Add New Site
You can see what I mean in the following screenshot: https://www.screencast.com/t/Y91cGtJhQd
I've scoured the WP Documentation but cannot seem to find it. I also tried it in PHP with the following code:
function remove_menus(){
remove_menu_page( 'my-sites.php' ); // Dashboard
remove_menu_page( 'index.php?page=wu-new-site' ); // Dashboard
}
add_action( 'admin_menu', 'remove_menus' );
But that has two problems... Frist it doesn't work, and two even if I did remove it from the nav, it would remove the permission so anyone familiar with WP could just paste a URL and access it. This is not secure.

You could just hide it with the remove_menu_page, and make a separate action, in the admin_init, that checks if the current screen is my_sites.php or index.php?page=wu-new-site and redirect to the dashboard, creative approach.
This doesn't solve the issue with xml-rpc most likely, so you'll most likely have to filter with that one too.
my-sites.php seems to be accessible to anyone that has "read" access, I suppose the reasoning is to allow users to navigate trough any sites they are registered trough the network easily.
Did you find an elegant solution for this ? I'm thinking the redirects & hiding from interface might be the only solution.

Related

WordPress functions.php - Admin html injection and submitting forms

I created a new navigation item on the left for my WP Admin:
add_action( 'admin_menu', 'addManagementMenuItem' );
function addManagementMenuItem(){
add_menu_page('Issue Management', 'Issue Management', 'manage_options', 'issue_management_slug', 'issue_management_building_function','',3);
}
function issue_management_building_function(){
if(!current_user_can('manage_options')){
}
else {
?>
...
...
So where I have the ellipsis ... is where my HTML begins and I write out some information to the page with various php echo statements to print some data out.
What I would like to do is now give the user the ability to enter in a filter and press submit. This would issue a POST to another page which would receive the post data, run some stuff, and spit out something else to the screen. I was just thinking this would take the user away from the WP-ADMIN area entirely (what I want to do is keep the user all within the right pane so it looks like it's natively happening on WordPress under my new admin area)
Something feels wrong about this approach above where I'm putting tons of html into functions.php - what is the way to create pages for a custom admin section where I can do things like post forms and go to multiple pages?
I was thinking the best solution would be to put an iframe in my injected HTML in functions.php, and then the pages can talk to themselves just like normal behind the scenes in WP-admin.
Could anyone point me in the right direction?
thanks!
Considering the user input/_POST features you'd like to add to this, you may want to consider building this functionality out as your own plugin. I've always kept custom functionality limited to non-user interaction in the functions.php file, but anything further would probably be better fit as it's own plugin.
For example, what if you created a plugin directory named nullhypothesis:
add_action( 'admin_menu', 'addManagementMenuItem' );
function addManagementMenuItem(){
add_menu_page('Issue Management', 'Issue Management', 'manage_options', 'nullhypothesis/file_to_do_your_bidding.php', 'issue_management_building_function','',3);
}
It's that fourth parameter that in the documentation mentions that you should include the menu_slug, but it doesn't necessarily need to only be a function - it can also be a file you define.
Then, in your file_to_do_your_bidding.php file (within your plugin), you can add whatever _POST functionality you'd need it to. It could also exist as the 'admin' page that the administrator/whoever interacts with.
Was that what you were looking for?

Hide Wordpress dashboard?

I'm new to wordpress and a bit confused with something. I'm trying to build a classified marketplace type of website for myself. I am NOT building this for a "client". I will probably be using a hack of several different plugins as my coding skills are not up to par. Eventually I will hopefully have lots of users who will be composed of buyers & sellers.
My question pertains to the WP dashboard. When buyers/sellers sign up for my site, will they be able to see the backend WP dashboard? I would prefer that they NOT be able to access a backend dashboard at all let alone a WP branded one. Is this possible? If so any clue as to how this might be accomplished?
thank you Brian
Normal users do not actually see the 'backend' WP dashboard. What they are seeing is a 'profile' type page meant for the original functionality of wordpres; being a blog.
If you do not want users to go to this page when they log-in, you can use a couple of hooks. Here is some code that redirects to the front page after logging-in and logging-out. This goes in your functions.php file.
add_action('login_form', 'ang_redirect_to_front_page');
add_action('wp_logout', 'go_home');
function ang_redirect_to_front_page() {
global $redirect_to;
if (!isset($_GET['redirect_to'])) {
$redirect_to = get_option('siteurl');
}
}
function go_home(){
wp_redirect( home_url() );
exit();
}
And, if your theme is still displaying the menu at the top of the screen that allows the users to go to this 'profile' area, you can go into your footer.php file and remove this:
<?php wp_footer();?>
However, if you do this, then you will not see it as the admin either.
WordPress is might not be the thing to use for that kind of website, even with a bunch of plugins. Read up on other content management systems just incase.
This link might answer your question:
http://buddypress.org/support/topic/how-to-prevent-non-admins-from-accessing-wp-admin-dashboard/
You can also add this to your theme's function.php file:
// DISABLE ADMIN BAR FOR ALL USERS
show_admin_bar( false );
If you are not too used to wordpress, use WOOCOMMERCE plugin. Its completely free and well documented

Duplicated permalinks on a wordpress page

First I have www.mywebsite.com/blog/ Which is another wordpress Blog under www.mywebsite.com.
Then I created a page inside www.mywebsite.com which has a url of www.mywebsite.com/blog/.
I want to change the first www.mywebsite.com/blog into www.mywebsite.com/blog2 so It won't confuse me anymore.
After changing the permalinks in the admin panel. I can't access www.mywebsite.com/blog anymore.
Is there any way to access the page of the original www.mywebsite.com/blog2/wp-admin? and view the duplicated page www.mywebsite.com/blog/?
Please comments if my question confuses you.
Thanks.
When moving your site, give the guide to moving wordpress or, in this case better, the guide of changing the wordpress url a glance.
Suppose you changed the URIs where you cannot move the files, but still can access the login page (through a redirection or something) you can recover your installation easily.
wp-login.php can be used to (re-)set the URIs. Find this line:
require( dirname(__FILE__) . '/wp-load.php' );
and insert the following lines below:
//FIXME: do comment/remove these hack lines. (once the database is updated)
update_option('siteurl', 'http://your.domain.name/the/path' );
update_option('home', 'http://your.domain.name/the/path' );
run it (once) and you are done. Test your site to make sure that it works right. If the change involves a new address for your blog, make sure you let people know the new address, and consider adding some redirection instructions in your .htaccess file to guide visitors to the new location. Delete those lines from your wp-login.php.

How to customize Wordpress Theme before going live

Yesterday I installed a new theme on Wordpress on my self-hosted website. I am aware of the feature that allows you to preview a theme and have used it to select a new Theme that I want to install.
Problem
I do not want to interrupt normal operations of my website, but this new theme requires a lot of customization before it is ready to go. How do I do this?
My Crappy Solution
Is the only way to go about it to run a virtual server on my desktop? This seems tedious, not to mention all the errors I usually get when switching to the "real" server when doing this.
A better way?
I've been searching on SO as well as the WordPress Forum for an answer as to how to do this, but have come up short. I would have thought this is a common question. Maybe I'm using the wrong search terms [themes, customization, before installing]???
Any help is greatly appreciated! Thanks!
Ok, since your question is a pretty good one and probably not a few people are going through the same process when they decide to update their site, I decided to give a try to the get_stylesheet and get_template filter hooks. It turns out that with a very small plugin, you can easily enforce a specific theme(well in this case any logged-in visitor, but you can change this to use any logic you want) according to a specific rule/s.
Here's the code that you need to put in a file in your plugins directory:
<?php
/*
Plugin Name: Switch Theme
Description: Switches the theme for logged-in visitors, while keeping the current theme for everyone else. !!!NOTE!!! Please back-up your database prior using this plugin - I can't guarantee that it will work with any theme, nor that it won't break your site's set-up - USE AT YOUR OWN RISK(I did a quick test and it seemed to be fine, but haven't done extensive testing).
You don't need to switch to the desired theme before that - you want to keep active the theme that you will display to your visitors - the one that you will see will be used programatically.
Before activating the plugin, change the line that says `private $admin_theme = '';` to `private $admin_theme = 'theme-directory-name';` where "theme-directory-name" is obviously the name of the directory in which the desired theme resides in.
*/
class MyThemeSwitcher {
private $admin_theme = '';
function MyThemeSwitcher() {
add_filter( 'stylesheet', array( &$this, 'get_stylesheet' ) );
add_filter( 'template', array( &$this, 'get_template' ) );
}
function get_stylesheet($stylesheet = '') {
if ( is_user_logged_in() && $this->admin_theme ) {
return $this->admin_theme;
}
return $stylesheet;
}
function get_template( $template ) {
if ( is_user_logged_in() && $this->admin_theme ) {
return $this->admin_theme;
}
return $template;
}
}
$theme_switcher = new MyThemeSwitcher();
So - first of all BACKUP YOUR DATABASE! I tested locally with Twenty Eleven being the default theme and a basic framework theme as my custom theme - the theme options and navigation menus were saved properly.
Then all you need to do is to update the file(change the line that says private $admin_theme = ''; to private $admin_theme = 'theme-slug'; where theme-slug is the name of the directory in which the theme you want to use is).
Also - you won't be able to change the Front page and Posts page options, without this affecting the live site, nor will you be able to change the any shared components that both themes use(Site name, Front Page, Posts page, Posts Per Page, etc options, content and so on).
So if you have no clue whether this solution is for you - well, it depends.
If both themes are not relatively complex, then most-likely you should be able to use this hack. If they are though maybe you should do a second installation of your website as others suggested - I think that a second installation in either a sub-domain or a sub-directory would be the best option for you(simply because moving a multisite database is more complex than moving a normal WP database).
I'd setup local apache server with a wordpress installed to customize and test a new theme. When you finished customizing it then you can upload the theme to your live site and activate it. If there are settings that you need to set in the dashboard then you probably will have to adjust them again. That's one way to test/customize a theme before putting it live.
You could create a network (make WordPress multisite with define('WP_ALLOW_MULTISITE', true);, see : http://codex.wordpress.org/Create_A_Network) and then create one sub-site, then turn it "off" with a Maintenance plugin so it is not accessible to users not logged in as admin, export your posts & data from main blog, import them in sub-blog with WordPress default importer, then apply your new theme to this sub-blog and work on it. When everything satisfies you, apply the theme to the main site and deactivate subsite.

How to create a profile page in Wordpress Multisite

I can't find a way to create a front-end profile page for all users under Wordpress Multisite Network. I also wanted the profile page to be on the main site and not on sub-sites if possible. I don't want to use any social network plugins like buddypress.. I just want to create a page like http://mainsite.com/profile/username
Is there a way to accomplish this?
Maybe you might check out Buddypress which is a social layer on top of Wordpress and is able to do what you need (i.e. something like http://mainsite.com/profile/username).
Link: http://buddypress.org/
More specifically, in Buddypress the default behaviour is http://mainsite.com/members/username
I have noticed that you have edited the question and that you are looking for a way to accomplish this without any plugin. There are a series of tags in Wordpress to show the author's data. So basically you could create a page and then use the_author_meta tags. For example the following code echoes the first and last name of a user whose name is stored in $userID:
<?php
$pagename = $userID;
echo the_author_meta(user_firstname, $userID );
echo the_author_meta(user_lastname, $userID );
?>
Please note that the variable $pagename is empty in case you use a static page as home page, but it is not your case.
Source: https://codex.wordpress.org/Template_Tags/the_author_meta

Resources