Edit post data outside of loop [Approve/Reject system]

  • Resolved Swennet

    (@swennet)


    11 years, 8 months ago

    Hello everyone. I’m trying to create a PHP script that will allow my users to Approve or Reject a post. Users can click on an Approve or Reject button, which then counts the amount of approvals or rejections. Once one of the two reaches 5, it will Approve/Reject the post.

    On approval it will change the post category to someone different. On rejection it will send the post to Trash.

    I’m pretty sure the functions I used won’t work like this though. But I can’t figure out a way to edit a post without having the post_id in the URL. (as this would cause great security risks)

    Do you guys have any idea?

    My Work-In-Progress below:

    <?php

if ($_SERVER['REQUEST_METHOD'] == 'GET' ) {

global $post;

	if ( in_category(2, $post->id) ) {

		$approve_count = get_post_meta($post->id, 'approves'); //get the amount of approves
		$reject_count = get_post_meta($post->id, 'rejects'); //get the amount of rejects

		if ( $_GET['ar_action'] == 'approve' ) { // User clicked Approve
			if ($approve_count) { // Check if there already is a count
				$approve_count++; // Add +1 to approve_count

				if ($approve_count == 5) {
					wp_set_post_categories($post->id, 3); // Set category to "Approved"
					delete_post_meta($post_id->id, 'approves'); // Remove meta data because post is already approved
					delete_post_meta($post_id->id, 'rejects'); // Remove meta data because post is already approved

				} else {
					update_post_meta($post->id, 'approves', $approve_count); // Update approves
				}

			} else { // No approve count set
				add_post_meta($ar_postid, 'approves', 1); // Create approve count and set to 1
			}

		} // End Approving

		if ( $_GET['ar_action'] == 'reject' ) { // User clicked Reject
			if ($reject_count) { // Check if there already is a count
				$reject_count++; // Add +1 to reject_count

				if ($reject_count == 5) {
					wp_trash_post($post->id);

				} else {
					update_post_meta($post->id, 'rejects', $reject_count); // Update rejects
				}

			} else { // No reject count set
				add_post_meta($ar_postid, 'rejects', 1); // Create reject count and set to 1
			}
		} // End Rejecting
	}
}

?>
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    The click action should result in a form submit using the POST method, where the post ID is a hidden form field. The ID is still discoverable, but it is much less obvious than an URL parameter. In addition, the form should submit a nonce field so the server can confirm the request is from a valid form and not some user trying to game the system.

    You may also want to consider a mechanism so that the same user cannot vote more than once, unless this is actually a “feature” of your scheme. It’s very difficult to make a voting scheme that cannot be cheated, but you can at least make cheating difficult for the average user.

    Finally, consider using an AJAX-like technique to submit the vote, instead of requesting an entirely new page, unless again, this is a “feature” of your scheme.

    Thread Starter Swennet

    (@swennet)

    @bcworkz

    Thanks for the pointers! I already finished the script with some of the features you recommended. I will also look into AJAX and the nonce fields.

    Thanks for the reply!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Edit post data outside of loop [Approve/Reject system]’ is closed to new replies.