I am using a plugin which is Groups. This allows to handle groups, hierarchy and capabilities. Using this, I can restrict the access to post to some groups of users.
The API provided by this plugin has a Class which has a method giving me back all the accessible posts for the current user. I have to provide as parameters all the posts (via get_posts method) and the $wpdb.
As you can see, each time I call this method, queries are done, I really want to avoid it.
So, my question is what is the best way to handle it ?
A way should be to have a global variable (as SESSION, but I saw wordpress wasn't using it), in which I could store session variables as accessible posts. I could initiate this variable with the wp_login hook.
I really want to do something safe.
Related
I am currently writing a Magento 2 module that requires me to log customer actions like product views. This action needs to be added for both logged in customers and guest customers. My solution is to use a custom variable (array) in the session for the customer of all product ID's.
To get around full page caching I have implemented a frontend ajax request to log the product views.
I have a controller that when visited will save the product ID in the session. This works as expected when I visit the URL directly, however, when its visited via an AJAX request the saving of the session variable does not work.
I have spent hours trying to debug this, I have been outputting the contents of the session variable and when accessed with AJAX I can see the contents, it's just never updated.
```
public function setGuestCustomerProductView($productId)
{
$guestProductViews = $this->_sessionManager->getGuestProductViews();
$guestProductViews[] = $productId;
$this->_sessionManager->setGuestProductViews($guestProductViews);
return $guestProductViews;
}
```
The AJAX request will always return the contents of the session variable (plus the product ID you are viewing) but never sets the variable. If I visit the URL directly in the same browser the contents are shown and the session variable is updated.
Further AJAX requests show the new session variable data from the direct URL request.
Have I misunderstood something in regards to sessions and AJAX requests? The domain is the same so there is no cross domain issues.
Any help would be appreciated.
UPDATE
I am starting to think this is not a magento 2 issue and it's more of a general Session/AJAX issue.
I decided to test a theory and switch out the SessionManager and use PHP's $_SESSION global variable. This resulted in the same issue so it's not the handler that's the issue.
Further tests concluded the same session ID was being passed and used correctly. While using the SessionManager I called isSessionExists() directly before the set method. This method returned true which checks for not only a valid session ID but also confirms the headers haven't been sent.
I see no reason why this works directly in the browser but not over AJAX. I will continue to investigate unless someone posts and answer I can try out.
SECOND UPDATE
After several failed attempts to get this feature to work I have decided to drop the feature and try a different implementation. As it stands in my module I am not using cookies on the clients side to record the product views and then reading the cookie in PHP. This works perfectly.
I hope my investigations here helps someone in the future.
Can someone tell me how to pass a variable into Wordpress from an incoming URL? For example, I have a visitor following this link:
http://mywebsite.com?variable=white
When they arrive at my wordpress site, I want to pull that "white" variable and store it for future use in my MailChimp list and departing links like this:
store mailchimp color
http://mySecondWebsite.com?favoriteColor=white
I want this to be temporary and specific to this user only. I understand the concept and use of session_start(), but I have no idea how to use this in conjunction with Wordpress. Any help is appreciated.
You can use the GET variables to fetch information from a URL. You can read out the $_GET array in PHP to get to your variable.
The part thats tricky, is that inside your wordpress application, you should check out if the user is logged in, and then update the users' information based on the current session. This is basically what you're looking for.
If the user is not logged in already, you can ofcourse not update his account by just that URL. You'd then need to add more info - something like a hash in the URL thats unique for this user and allows you to update a preference without logging in.
I'd like to store data per user without any form of login system.
The user clicks an item and this item is attributed towards them (like a shopping cart, but these aren't products and nothing is sold). So the user can browse different items then basically add them to cart, effectively. I want it to work like a traditional session would, only not using a session. I read that this is discouraged in Wordpress.
What's the best way to achieve something like this in Wordpress then? Is the Transients API appropriate for this task? Or some other means?
The transients API is of no benefit to you for this particular purpose. They'd have to be specific to each user and soon enough your options table would be huge.
You need to set a cookie instead.
You can use JS (or better, jQuery) to call PHP script using ajax/post/get internal jQuery functions and then set a cookie using PHP.
I am developing a dynamic website using PHP. When a user of the website creates an account, a profile page should be created for that user. Say, a user called 'dev23' creates an account on my website, his profile should be accessible through the link www.mysite.com/dev23
How do I create such a thing? Should I create a standard page like userprofile.php which is populated with data specific to the username provided? Or should I create a permanent webpage for every user?
Please let me know the right approach to this porblem.
Is the www.mysite.com/dev23 meant to be public or only visible to the logged in user?
If it is only visible to the logged in user, you can create a myprofile.php file which retrieves the logged in user from the session and retrieves data accordingly.
If it is meant to be a URL that other users can hit, you probably want some sort of userprofile.php page with data passed along to identify the user to be viewed. For example, the url might be www.mysite.com/userprofile.php?user=dev23. If you are using Apache for your web server, you can look at using mod_rewrite to make the URL prettier. Thus, you could have the URL www.mysite.com/user/dev23 routed to userprofile.php?user=dev23 and your PHP processes the same. It is just a means of making URLs be more user friendly than a naked query string. This is common amongst many PHP-based CMS systems such as WordPress, Joomla, etc.
Ideally you should be creating a single file that handles all users.
Certain frameworks like SkyPHP allow this by defining the attributes after a valid page as "queryfolders" which can be used much like GET/POST variables.
If you are not using a framework, I might suggest you look into using one to simplify your tasks.
SkyPHP also has a functionality where a single field in a table can be used to pull this data simply by defining the page as _table.field_name_
It will check to see if there is a matching table and field to pull the data from and will automatically pull the id of the record whose field's value matches that of the url and assign it to a variable.
Example... If we have a table called category and a field named slug, one would create a page named _category.slug_.php
Then the url... http://mydomain.com/watches would look for "watches" in category.slug and pull back the identifier of the record as $category_id with $category_slug available also.
It would solve your issue if you are willing to give it a shot.
Again refer to the documentation here... http://switchbreak.com/skyphp
I used Zend Framework for near 3 month and I'm searching for a method to pass parameters from the view to the controller in a secure way. I prefer to pass the parameters like $_POST method, but I don't want to use forms.
Is there any method to use in ZF? I only know the url() method but I don't know if this method is works well to passing important data to the controller.
HTTP is a stateless protocol and you can basically choose from four solutions to preserve information between requests (as this is, I think, what you are trying to do, isn't it):
Query string
Hidden elements in forms
Cookie
Session
Session would be the safest. In ZF you have Zend_Session component to help you with session managment.
As far as sending POSTs without form it is rather difficult. Have a look at: Zend Framework: How to POST data to some external page (e.g. external payment gate) without using form?. However, if you only want to sent POST data than you could do it in PHP using cURL.
I think you might be looking for Session variables.
You want to send something that can't be seen from URL into the next request, right? Session is ideal for that.
Update:
I read your question as:
"There is this variable in page, that somehow changes. I want the user to send it to the server, but it should not appear in the URL. But without using forms."
There is no way to initiate POST request (like let the user post a password or sth like that) from browser without forms or javascript axaj call. To send some data via POST you can use Zend_Http_Client(), but that's done server-side and you still need to make a GET request first.
May I ask you how would you implement it using GET? That would help us to understand what exactly you'd like to do.
And the last idea:
I'm searching for a method to pass
parameters from the view to the
controller in a secure way
JUST BEACUSE IT'S NOT IN URL IT'S NOT SECURE! :)
I think what you can use is a digest key
The method has nothing to do with security GET, POST, Cookies or Session a person on the client side can manipulate the params.
Example:
mywebsite.com/widget.php?id=1234&action=delete
A person can change the GET param id and delete whatever they want. Obviously, your controller should implement Auth and perhaps an ACL, for authentication and authorisation, but this still wont prevent URL tampering. For example, what's the stop Bob logging in and altering a URL to edit John's widget.
you generate a digest key by concating the params into a string:
1234+password = "1234password" then generate the MD5 of the result = d5b1ee4b463dc7db3b0eaaa0ea2cb5b4
pass this along the url.
mywebsite.com/widget.php?id=1234&action=delete&mac=d5b1ee4b463dc7db3b0eaaa0ea2cb5b4
inside widget.php you can use the same formula to calculate the digest key and check to see if it matches. If they attempt to change the id to say 4567 the MD5 result would be 09fef3620249f28ae64adc23bded949, so you can deny the request.
If you have more than 1 param on your URI, string them together, add the password and generate an MD5 or SHA1.