Ask your WordPress questions! Pay money and get answers fast! (more info)

Block Contributors from admin, but allow front-end delete posts

  • SOLVED

I have a site with some front-end post creation and editing capability for Contributors. I would like to block all non-admins from the admin, but allow them to delete posts via links created via get_delete_post_link. **I have already run function to allow Contributors to delete posts - it works when the redirection is off. The links look like the following:

http://myurl.com/wp-admin/post.php?post=10&action=delete&_wpnonce={nonce}

The below redirection prevents the delete links from working. Is there any way I can allow requests to only URLs like ".../wp-admin/post.php?&action=delete..."?

function my_admin_redirect(){
if( is_admin() && !defined('DOING_AJAX') && ( current_user_can('contributor') ) ){
wp_redirect('http://www.cheesesociety.org/competition/enter-new/');
exit;
}
}
add_action('init','my_admin_redirect');


Thanks!

Answers (2)

2013-03-25

Gabriel Reguly answers:

Hi Adam,

Please try


function my_admin_redirect(){


if( is_admin() && !defined('DOING_AJAX') && ( current_user_can('contributor') ) ){

if ( isset( $_GET[ 'action'] ) && 'delete' == $_GET[ 'action'] ) return;


wp_redirect('http://www.cheesesociety.org/competition/enter-new/');

exit;

}

}

add_action('init','my_admin_redirect');


Regards,
Gabriel


Adam Bundy comments:

Gabriel, that works great. Thank you very much!


Adam Bundy comments:

Gabriel, that works great. Thank you very much!

2013-03-25

Daniel Yoen answers:

Try this :

<?php if ($post->post_author == $current_user->ID) { ?>
<a href="<?php echo get_delete_post_link( $post->ID ) ?>">Delete post</a>
<?php } ?>


Hope this help :-)


Adam Bundy comments:

@Daniel, I think you may have misunderstood. Im not looking to conditionally display the links. I want to keep Contributors from getting into the admin, but allow them to use the delete post links (which hits the admin, so it is being prevented from working by the redirect script).


Daniel Yoen comments:

Sorry,

I think you can't do this, because security reason, get_delete_post_link() also used in admin panel.

alternatively, you can use wp_delete_post($post_id), get $post_id from url

maybe like this :
if ($post->post_author == $current_user->ID)
{
wp_delete_post($post_id);
}


hope this help :-)


Adam Bundy comments:

@Daniel,
The get_delete_post_link() method works from the front-end, and seems to be the method most widely used, but again, it gets prevented by my admin redirect. Is there a way to modify the conditions of my admin redirect above to allow contributors to access ONLY 'wp-admin/post.php' with action=delete? If this is a security risk, please explain.

Thanks!


Daniel Yoen comments:

Yes, working in front-end, auth by nonce, nonce is token generated by Wordpress
About wp_nonce
<blockquote> Nonce is used for security purposes to protect against unexpected or duplicate requests that could cause undesired permanent or irreversible changes the web site and particulary to its database. Specifically, a nonce is an one-time token generated by a web site to identify future requests to that web site. When a request is submitted, the web site verifies if a previously generated nonce expected for this particular kind of request was sent along and decides whether the request can be safely processed, or an notice of failure should be returned. This could prevent unwanted repeated, expired or malicious requests from being processed.Nonce is usually included in a hidden HTML form field or as a part of an URL and therefore sent with a request by submitting a form field or visitting a link. If a request is not verified, the web site could generate a new nonce in its response and prompt the user to intentionally confirm the repetition of the request. In WordPress, the response message is "Are you sure you want to do this?" by default. </blockquote>

http://codex.wordpress.org/Glossary#Nonce


Adam Bundy comments:

@Daniel, thanks for the info about nonce -the nonce is included in the link generated by get_delete_post_link (see original post). Do you have an answer about the redirect function?


Daniel Yoen comments:

Sorry, Just make a clear.

I mean, you want to delete nonce variable from url, right ?. But I think you can't do that, you can't triger wp admin action without nonce, because security reason, your redirect script breaking wp nonce auth, and the script stops here. Thank you

:-)


Adam Bundy comments:

@Daniel, no, Im sorry - thats not what I'm asking for. Looks like Gabriel's answer below has potential. Thanks for your time.