|
|
Thanks Bruce,
I am not using MOP vars. I am doing a simple thing, a user register for 24 hours, pay registration fee. After that upload the image to the member area, and fills in description form. I am not a professional programmer. Therefore, I would like to keep it simple, i.e. if it works and serves my purpose then I am happy with it :-)
|
|
|
Thanks Bruce,
After reading your post, I did through s2hack.php in mu-plugin. I used the following:
if (strpos($_SERVER['REQUEST_URI'], 'redirect_to=') !== false && current_user_can('access_s2member_level1') === false) {
wp_redirect('http://shaadiconnections.com/hotornot-payment/');
exit;
It does redirects to the desired page. I hope it is correct way of doing it.
|
|
|
Jason,
Thanks. I believe, I may have found a simpler solution. Only registered users can fill the form, but the uploaded images are visible to visitors. Registration page take them to payment page. I moved the existing features protected by s2Members to level2, and this new one to level one. On the development, concept seems to work.
|
|
|
Sorry, I am not being clear. Let me try again. The http://www.shaadiconnections.com/hotornot-2/ is a page which has form and a field to upload image, then a button “Create Competitor” When a user click on “Create Competitor”, the image is uploaded. I want the page to be visible to all the visitors, but when the click that is onclick or onsubmit the “Create Competitor” button after uploading the image, it should take them to a payment page. It look like a way to needed to protect an onclick or onsubmit button, not the entire page.
|
|
|
Well, those are blocking whole page from visitors to see, I wanted them to take to membership payment page when they click “Create Competitor” button after uploading the image and filling in the form field.
Following is the code in their php file, which is triggered after pressing create competitor button.
$ret .= ' <p class="wp-user-submit-submit"><input type="submit" value="'. __("Create Competitor", "showdownusersubmit").'" /> </p>';
|
|
|
That would protect the whole page? I want visitors to see the Page without registering, but when they click on “Create Competitor” button to submit an image, they are taken to the payment page and after payment is made return to the site.
|
|
|
|
|
|
|
Jason,
I am not aware of specific security issues. However, I do see hacking attempts on daily basis from China, India, Russia and Ukraine. All of those hackers try the string http://www.example.com/wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_js_w_globals=1&qcABC=1&ver=120703-120703-1784216801. Therefore, I assume that there is something known to hackers about it. I have ZBBlock from spambotsecurity.com installed, which blocks these kind of remote queries. My ZBBlock log files have over 100 these querries from various hackers.
|
|
|
I did a little search on this issue. This issue was discussed on your free plugin public forum in 2011 Q1. Anyone can execute http://www.example.com/wp-content/plugins/s2member/s2member-o.php?ws_plugin__s2member_js_w_globals=1&qcABC=1&ver=120703-120703-1784216801
It shows data in the browser, even though not sensitive, but public, and logout users should not be able to see it in browser by executing remote query. It gives hackers an option to look for exploitable look holes, and it also displays the email address, which spammers collect to spam. This should be fixed.
|
|
|
Thanks Cristian,
I noticed in log file, a couple Russian hackers also tried same query remotely. Looks like some hackers know someting about it? Anyway, I feel safe, because ZBBlocck instantly ban anyone who try to execute queries remotely.
|
|
|
|
|
|
|
I already tried the PHP, but it always insert it on a new line, either after other badges or beffore.
|
|
|
If you want your login/registration page to have your WP theme look, I would recommend download WP Custom Login plugin from WordPress. Install it and activate it. Your login page will have a headers, footer and background of your theme.
|
|
|
It seems to be a permssion issue. I setup a couple of test cron jobs, which gave error, “The You don’t have permission to access /wp-admin/tools.php”
|
|
|
Hi Raam
Yess that did work.
|
|
|
Hi Raam
Yes, users are signing up with Level 1. They should be demoted to level 0 after EOT expirres, which is not happening. I have to manually change their level to level 0 from level 1.
|
|
|
Cristian
Here is the screen capture of EOT panel
Looking forward to your suggestions.
Thanks
|
|
|
Raam,
Thaks for reply. Yes there is a date set in the Automatic EOT Time field. But, the user is not demoted after the date and time set in the Automatic EOT Time Field.
|
|
|
Thanks Cristian. Your hack is fool proof to protect URI. It is very much appreciated.
|
|
|
Hi Cristian,
Yes, I tried URI restrictions without the /members/? part. It did not work. Anyway, the hack is working perfect. I edited it to accomodate my URIs.
|
|
|
Hi Jason
My WP Permalinks do include trailing slash, and my URI Restrictions look like this:
/members/?pid=5&pagetitle=save_searches
/members/?pid=6&pagetitle=privacy_settings
/members/?pid=6&pagetitle=skype_settings
/members/?pid=13&pagetitle=viewed_me
/members/?pid=13&pagetitle=i_viewed
/members/?pid=13&pagetitle=trending
/members/?pid=13&pagetitle=interest_cloud
/members/?pid=1&pagetitle=view_winks
/members/?pid=1&pagetitle=view_friends
/members/?pid=1&pagetitle=my_favourites
/members/?pid=1&pagetitle=my_matches
/members/?pid=1&pagetitle=alerts
/members/?pid=1&pagetitle=blocked
It does not work. I am using Month and Name option from WP Permalink, which looks like http://www.mydomain.com/2012/08/sample-post/
However, the hack protects URI
<?php
add_action ('wp_loaded', 'ccap_uri_restriction', 1);
function ccap_uri_restriction() {
if (strpos($_SERVER['REQUEST_URI'], '/members/') !== false && current_user_can('access_s2member_level0') === false) {
wp_redirect(S2MEMBER_MEMBERSHIP_OPTIONS_PAGE_URL);
exit;
}
if (strpos($_SERVER['REQUEST_URI'], '/members/?pid=14&pagetitle=my_email&message_template=inbox') !== false && current_user_can('access_s2member_level1') === false) {
wp_redirect(S2MEMBER_MEMBERSHIP_OPTIONS_PAGE_URL);
exit;
}
}
?>
I do not understand why URI Restriction from Dashboard will not protect /members/?pid=14&pagetitle=my_email&message_template=inbox, but hack will do it.
|
|
|
Hi Cristian
Thanks for your help. If I put /members/ in the level1 and nothing for level0 for URI Protection, level0 can still access /members/. But if I put a URI which does not has /members/ in the URI then that URI protection works. For example I put /cometchat/chometchatjs.php for level1. level0 cannot access it. It means URI protection does work, but not for members.
I used your code with a little modification to protect different URI for different levels. I put in mu-plugins/s2-hack.php. It worked. It allowed /members/ to level0 and level1, but redirected level0 to Members Option page for ‘/members/?pid=14&pagetitle=my_email&message_template=inbox’. Maybe I should use the hack to protect various URI which have /members/ in it?
<?php
add_action ('wp_loaded', 'ccap_uri_restriction', 1);
function ccap_uri_restriction() {
if (strpos($_SERVER['REQUEST_URI'], '/members/') !== false && current_user_can('access_s2member_level0') === false) {
wp_redirect(S2MEMBER_MEMBERSHIP_OPTIONS_PAGE_URL);
exit;
}
if (strpos($_SERVER['REQUEST_URI'], '/members/?pid=14&pagetitle=my_email&message_template=inbox') !== false && current_user_can('access_s2member_level1') === false) {
wp_redirect(S2MEMBER_MEMBERSHIP_OPTIONS_PAGE_URL);
exit;
}
}
?>
|
|
|
Hi Raam
Can you also use this against against membership levels? Do something like?
<?php // Only allows access to a specific URI if user has the corresponding Custom Capability.
add_action ("wp", "my_custom_capabilities", 1);
function my_custom_capabilities() {
$allowed = TRUE;
if (fnmatch ("/members/", $_SERVER["REQUEST_URI"]) && !current_user_can("access_s2member_level0")) {
$allowed = FALSE;
}
if (fnmatch ("/members/?pid=2", $_SERVER["REQUEST_URI"]) && !current_user_can ("access_s2member_level0"))
{
$allowed = FALSE;
}
if (fnmatch ("/members/?pid=1&pagetitle=mypage", $_SERVER["REQUEST_URI"]) && !current_user_can ("access_s2member_level1"))
{
$allowed = FALSE;
}
// If any of the URIs above matched, but the user did not have the necessary ccap, redirect to Membership Options.
if (FALSE === $allowed) {
header ("Location: " . S2MEMBER_MEMBERSHIP_OPTIONS_PAGE_URL);
exit (); }
}
?>
Thanks
|
|
|
I believe, I have same problem as discussed in this thread http://www.s2member.com/forums/topic/buddypress-url-restriction-trouble/. URI protection is not working due to conflicts because /members/ is present in all the URI. Can lead developer Jason look into it. Or, should I hopelessly give up on s2Members?
|
|
|
URI Restrictions from
Dashboard -› s2Member® -› Restriction Options -› URI Access Restrictions
are not working. However, if I edit the code of plugin in question and do following
<?php if (current_user_can("access_s2member_level1")){ ?>
<a href="<? echo add_query_arg (array('pid' =>1,'pagetitle'=>'mypage'), $root_link);?>" title="<?=language_code('DSP_MENU_MY_PAGE')?>"><?=language_code('DSP_MENU_MY_PAGE')?></a></div>
<?php } ?>
It does work. But, it messes up CSS layout. This is not a good a solution because it will require editing a lot of php files.
I do not understand why
Dashboard -› s2Member® -› Restriction Options -› URI Access Restrictions
does not restrict URI.
I ruled out the plugins conflicts, by deactivating all the plugins except s2Member and the one of which I am trying to restrict URI.
|
Pre-Sale FAQs
Video Tutorials
Community Forum
Knowledge Base
News/Updates
s2 Codex / Docs
GPL v2 License
Contact A Human
About Us
Our Customers
Support Policy
Privacy Policy
Old Forums (READ-ONLY): The 
