Allow specific actions for certain roles?

  • Resolved scooterlord

    (@scooterlord)


    4 years, 8 months ago

    Hello,

    the plugin works as expected and integrates wonderfully with what I wanted, except one thing.. I want to allow Authors to delete their own posts from the frontend, but since delete a post passes through admin functions, it is forbidden when using the plugin.

    Is there some kind of function I can use to restrict access to the dashboard except allowing to delete own posts?

    Thank you in advance for your time!

Viewing 7 replies - 1 through 7 (of 7 total)

  • Hi @scooterlord,

    I think I would need more information about how you’re accomplishing the post deletion from the front end to give you a more complete answer. If you’re calling wp_delete_post(), for instance, that’s not reliant on the admin at all. If you’re using some kind of deletion URL that is tied specifically to the admin, working around that could certainly be quite a bit stickier.

    Happy to help if you can expand a bit on your configuration for allowing deletions from the front end.

    Thread Starter scooterlord

    (@scooterlord)

    Hello Drew and thank you for your reply. Currently I am using the get_delete_post_link() function, so the url it produces runs through the admin but it is very convenient code-wise.

    I am not really sure how I could trigger the wp_delete_post() in a button. Any help would be appreciated.

    Hi @scooterlord,

    Thanks for following up. Probably your best bet is to use an Ajax callback to call wp_trash_post(), which would trash the post and then after 30 days it was just get deleted. The link generated by get_delete_post_link() has some internal handling to decide whether to trash or delete a post and I think your safest best is just to stick with trashing them.

    In practice, the way that might look would be something like the following (untested):

    In your template:

    
    <?php if ( current_user_can( 'delete_post', $post->ID ) ) : ?>
        <button id="my-delete-post-button" data-post_id="<?php echo esc_attr( $post->ID ); ?>" data-nonce="<?php echo esc_attr( wp_create_nonce( 'my-delete-post-nonce' ) ); ?>">Delete</button>
    <?php endif; ?>

    And then in your theme’s functions.php file, you’d first inject some JavaScript to handle the Ajax (again, untested):

    
<?php
/**
 * Injects jQuery to handle for the Ajaxified post delete button.
 */
function my_post_delete_button_script() {
	if ( ! is_singular( 'post' ) ) {
		return;
	}
	?>
	( function( $ ) {

		$( '#my-delete-post-button' ).on( 'click', function( event ) {
			event.preventDefault();

			$.ajax( {
				type: 'POST',
				url: ajaxurl,
				data: {
					action: 'my_delete_post_action',
					post_id: $( this ).data( 'post_id' ),
					nonce: $( this ).data( 'nonce' )
				},
				dataType: "json",
				success: function( response ) {
				if ( response.success && 'undefined' !== response.success.data.redirect ) {
					// Redirect the user.
					window.location.replace( response.success.data.redirect );
				} else {
					console.log( response );
				}
			}

			} ).fail( function( response ) {
				if ( window.console && window.console.log ) {
					console.log( response );
				}
			} );
		} );
	} )( jQuery );
	<?php
}
add_action( 'wp_head', 'my_post_delete_button_script' );
?>

    And then your Ajax callback:

    
<?php
/**
 * My post delete button Ajax handler.
 */
function my_delete_post_action() {
	if ( ! isset( $_REQUEST['nonce'] )
	     || ( isset( $_REQUEST['nonce'] ) && false === wp_verify_nonce( $_REQUEST['nonce'], 'my-delete-post-nonce' ) )
	) {
		wp_send_json_error( new \WP_Error( 'invalid_request', 'You do not have permission to perform this action.' ) );
	}

	$post_id = empty( $_REQUEST['post_id'] ) ? 0 : intval( $_REQUEST['post_id'] );

	if ( 0 === $post_id ) {
		wp_send_json_error( new \WP_Error( 'missing_post_id', 'A post ID is required to proceed.' ) );
	}

	if ( current_user_can( 'delete_post', $post_id ) ) {
		$trashed = wp_trash_post( $post_id );

		if ( $trashed ) {
			wp_send_json_success( array( 'redirect' => home_url() ));
		}
	}

	wp_send_json_error( array( 'redirect' => '' ) );
}
add_action( 'wp_ajax_my_delete_post_action', 'my_delete_post_action' );
?>

    Hope that helps point you in the right direction.

    • This reply was modified 4 years, 7 months ago by Drew Jaynes.
    • This reply was modified 4 years, 7 months ago by Drew Jaynes.
    Thread Starter scooterlord

    (@scooterlord)

    Wow, I was expecting some great support judging by the other threads, but wasn’t expecting to be spoon-fed!

    Thanks for your effort, I will try the code sometime later today (hopefully) and report back!

    Thanks a million!

    Thread Starter scooterlord

    (@scooterlord)

    Hello, so, I tried the code above however, but I get some strange behavior..

    I get a failure response on the console, however, the post is trashed.

    As a responseText I get part of the HTML code, however, have no idea have to fix this. Any pointers?

    Thread Starter scooterlord

    (@scooterlord)

    Ok, so progressing just a bit,

    I replaced response.success.data.redirect with response.data.redirect and seems to be working fine now. I removed some errors – most of the errors derive from the fact that users are not using the site normally or as expected, so I don’t care if they see the errors anyway!

    Thank you for this post, saved me tons of time!

    • This reply was modified 4 years, 7 months ago by scooterlord.

    Hi @scooterlord,

    Sorry about the few errors in the JavaScript, I kind of just smashed something out for you on the spot, glad you were able to troubleshoot it.

    If you haven’t written one already, I’d appreciate it if you could take a minute and write a review. Thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Allow specific actions for certain roles?’ is closed to new replies.