shaunpoore

For instance, we do not use jQuery at all.
So that is coming from another plugin or probably WordPress itself (WP uses it for the admin toolbar).

That probably explains why I disabled it to begin with…

But the player+lightbox features don’t work without any JavaScript at all ??

Maybe in the WordPress editor have an option to simply include the pic/link to the web story so there’s less stuff that can go wrong and everything is self-contained?

Or load all the scripts you need on click…

• This reply was modified 3 years, 1 month ago by shaunpoore.

OK thanks. That does work. I get a JavaScript error now that prevents it from loading saying “The Element did not specify a layout attribute.” But, I can hopefully track that one down myself.

Do you guys work for Google? My feedback on this thing is why are there so many scripts getting loaded for something meant for the web? You got JQuery, Lightbox, the AMP player I mentioned earlier, etc. It’d be pretty difficult to have a web story embedded into a blog post and pass core web vitals with the number of files you add to the page.

Are you saying your plugin adds the needed styles/scripts by hooking into that call?

I think I found the lib I was looking for at the link below. I haven’t tested it yet, but you guys appear to use it.

https://amp.dev/documentation/guides-and-tutorials/integrate/embed-stories-nonamp/

I figured out how to do what I was looking for. This hook should work.

function preprocess_comment_remove_url( $commentdata ) {
    // If the user submitted the URL disallow comment..
    if (!IsNullOrEmptyString($commentdata['comment_author_url'])) {
        wp_die('Please stop spamming us!  Thanks!');
    }
    return $commentdata;
}
add_filter( 'preprocess_comment' , 'preprocess_comment_remove_url' );

I saw it as a developing with WordPress topic because back-end code will be needed to prevent this.

A link alone isn’t enough to make it obvious that it’s a spam bot

On my Theme it is. I have removed the URL field. So when a user posts a name, email, comment and URL to my website… I KNOW that it is spam. THERE IS NO URL FIELD ON MY SITE so how could they have posted a URL through the form? The answer is they couldn’t. It’s spam and I’d like to hook into wherever comments are saved in functions.php and prevent the comment from being saved.

Have you tried any of these solutions?

Sure, I can moderate away the spam comments just fine. But, after a certain point of reading spam comments a man might ask, “Wait, why don’t I just write a line of code so I never have to do this again?”

I surmise there is a better way than just dealing with it.

There’s got to be a better way to obtain just that nonce.

I found that the nonce is also located here /wp-admin/post-new.php which does thankfully remove the step of needing to find a valid post to edit.

But yes, still a pretty epic hack. I don’t think this nonce is exposed in an easier place, unfortunately. But for now, it works.

IDK if this will help anybody in the future, but I did manage to find one place where the nonce is publicly exposed without a back-end coding change.

If you log into your account and go to edit a post. So a link similar to this

/wp-admin/post.php?post=555&action=edit

within the html of that page you will find a line that looks like this.

var wpApiSettings = {"root":"wp-json\/","nonce":"285e95e9a5","versionString":"wp\/v2\/"};

That nonce will work for API calls. So it is possible to get the rest nonce without back-end coding changes.

That said. If this is the ultimate solution it is a MAJOR PITA. Right now the easiest way I’ve come up with to do this is to login somehow and save the cookie. Do some work to find a valid post ID so I can get to the edit page. Load the physical html page for that post id, strip out the nonce. THEN I can finally use the REST API from my app.

That is insanity and a major hack… So back to my original statement. Can I file a change request somewhere where WordPress people would actually read it? All this needs to work is a login method that returns the REST API’s nonce. It shouldn’t be this hard.

If someone reading this topic can explain how to obtain a valid nonce then this problem could move forward.

I believe you’d have to code this logic yourself in your functions.php file. Which is why the default WordPress setup doesn’t work for what I’d like to do. But, I’d be happy if I’m wrong about that.

can you make the type of error you get readable? (obscuring sensitive data if necessary)

I can and will. But again, I understand what the problem is AND how to fix it. I long ago got this working on my machine by changing some back-end code.

{"code":"rest_invalid_param","message":"Invalid parameter(s): status","data":{"status":400,"params":{"status":"Status is forbidden."}}}

The problem is NOT that I can’t authenticate (I can).

The problem is that a random WordPress user who downloads my app won’t be able to authenticate without also installing a 3rd party app I now have to build. As far as I know there’s no way to authenticate and reach this method with default WordPress install. Back-end changes are required.

• This reply was modified 5 years, 2 months ago by shaunpoore.

Context view GET, request wp/v2/posts?status=publish Does it work as a browser? view requests (GET) do not need authentication for this scenery.

Things you don’t need authentication for like the request you mentioned will work. But that makes what my app can do fairly limited.

The authentication is a regular authenticated user on the site.

This is the problem. I suppose I could try to hack it where I open a web browser within the app, have the user log into WordPress, then do all of the network communication pieces through the in-app web browser and pass the information back to my app… But, even then I think there’s some nonce coding that would require a 3rd party app or coding knowledge from users.

OR, WordPress could just provide a way to authenticate.

Just to drive this point home. I’m logged in as the administrator locally on my WordPress instance. I can’t get to the following link. You can’t get to it on your site either without some back-end work. This is a problem.

https://mydomain/wp-json/wp/v2/posts?status=any

For your app, depending on the platform, have the user authenticate on the app and store that credentials in the OS keychain. IOS and Mac can do that but it’s tricky to get right.

Storing credentials isn’t my problem. My problem is that even with the credentials I still can’t authenticate without the hackery listed above or a 3rd party plugin.

• This reply was modified 5 years, 2 months ago by shaunpoore.
• This reply was modified 5 years, 2 months ago by shaunpoore.
• This reply was modified 5 years, 2 months ago by shaunpoore.
• This reply was modified 5 years, 2 months ago by shaunpoore.