• I have another plugin installed which has AJAX calls for anonymous (not logged in) users. The plugin doesn’t work when a user is not logged in but it does work when the user is logged in. When I disable the “front-end-users” plugin my other plugin works properly for anonymous users.

    Do you know what might be causing the conflict? Basically I think I need to allow anonymous Ajax calls for the “front-end-users” plugin.

    Thanks.

    https://www.ads-software.com/extend/plugins/front-end-users/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter jvanpuy

    (@jvanpuy)

    You can disregard this – I ended up just deleting this plugin and adding some code to functions.php to hide the admin bar.

    Thanks.

    I removed the following from lib/font_end_users.php in the plugin folder:

    public function restrict_admin_access() {
    		if (is_admin()) {
    			$valid_admin_ajax_actions = array('user_avatar_add_photo');
    			if ($_SERVER['SCRIPT_NAME'] == '/wp-admin/admin-ajax.php' &&
    				isset($_GET['action']) && in_array($_GET['action'], $valid_admin_ajax_actions)) {
    					return true;
    			}
    			if (!$this->is_logged_in()) {
    				$this->render_page('not-logged-in');
    			} else if (!$this->has_admin_access()) {
    				$this->render_404();
    			}
    		}
    	}

    This allows my ajax functions to work but is it safe?

    I had the same issue, and came up with a fix.
    ralphonz’s answer works of course, but deleting this piece of code won’t restrict the access to the admin any more, which is the whole point of the front end users plugin in the first place.

    Instead, I suggest replacing the code with something like this :

    public function restrict_admin_access() {
       if (is_admin()) {
          if (strpos($_SERVER['PHP_SELF'], 'wp-admin/admin-ajax.php')===false) {
             if (!$this->is_logged_in()) {
    	    $this->render_page('not-logged-in');
    	 } else if (!$this->has_admin_access()) {
    	    $this->render_404();
    	 }
          }
       }
    }

    all ajax calls will be allowed now, so the same question arises : is it safe ?
    An other solution would be to identify what actions are sent through ajax by other plugins and manually populate the $valid_admin_ajax_actions array in the original code…

    With the same idea, I’ve had to customize the rewrite_admin_url filter as it exits on not logged users before checking for ajax request…

    Better yet, these functions should be overridden in your theme, which requires some knowledge : removing original hooks, adding your own, checking for existence of the feu plugin,… but as the chance the plugin gets updated seems very small (last update in 2011 !), this may not be so important.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Ajax calls being blocked for anonymous users’ is closed to new replies.