Plugin development: Insert current_user into javacript

  • Hi:
    I’m developing a plugin that contains 8 form fields. 2 or the form fields currently need the user to enter their first and last names. I would like to automate this and remove the fields all together by having my javascript get the first and last names of the logged in user.

    I’m hoping to make use of the $current_user function(s) but I’m not clear on how I could do it in WP.

    Is this possible to do within my plugins javascript?
    Any help or code snippet would be great.

    BestRegards,
    Dennis Hall

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter dennishall

    (@dennishall)

    Update:

    I failed to mention that this plugin generates a URL that is opened in another window. The URL is assembled from the following javascript:

    function myFormProcessor() {
	var StartUrl = document.getElementById('StartUrl').value;
	var 2nd_URL = document.getElementById('2nd_URL').value;
	var Net_User = document.getElementById('Net_User').value;
	var Net_Password = document.getElementById('Net_Password').value;
	var WP_FirstName = document.getElementById('WP_FirstName').value;
	var WP_LastName = document.getElementById('WP_LastName').value;
	var WP_Email = document.getElementById('WP_Email').value;
	var Remote_ID = document.getElementById('Remote_ID').value;
	var UserPassword64Encoded = Net_User + ":" + Net_Password;
	var UserPassword64Encoded = btoa(UserPassword64Encoded);

	document.getElementById('results').innerHTML = StartUrl + "?endpoint=" + 2nd_URL + "%26auth%3DBasic%20" + UserPassword64Encoded + "%26actor%3D%7B%22objectType%22%3A%22Agent%22%2C%22name%22%3A%5B%22" + WP_FirstName + "%20" + WP_LastName + "%22%5D%2C%22mbox%22%3A%5B%22mailto%3A" + WP_Email + "%22%5D%7D%26registration%3D0072356f-3de8-4792-ab8a-e2d8a3295db5%26remote_id%3Dhttp%3A%2F%2F" + Remote_ID;

	document.getElementById('results').style.display = "block";
	return false;
	}

    The script above will populate a preview of the URL as a text string that could be copy/paste while I have another form button that will open the same output in a new window (for test purposes).

    An administrator generates this URL in WP-Admin, then copies the URL and pastes it into a page or post (in any form of tag). When a logged in user clicks it, it will open the URL with their First name Last name, and email in the URL.

    This is why I’m trying to insert the current-user information into the URL to replace the WP_ user name and email parts.

    Any advice or snippets would really be great.

    Best Regards,
    Dennis Hall

    Oh man, why are you passing a Base64-encoded password through an URL? In my experience as security analyst this type of code is what opens security holes in a website and then people complain that they got hacked.

    Anyway, to answer your question you can do something like this [1] to display the first and last name of the user in the current session in the form fields that you have. Note that there is no “first_name” nor “last_name” fields in the database, so you will have to split the “display_name” attribute by spaces like I did in that code.

    I hope this helps, and be careful with that password.

    [1] https://cixtor.com/pastio/th1uab

    Thread Starter dennishall

    (@dennishall)

    Thanks for the response Yorman. This Base64 encoding is a requirement for the Query string. The systems that use it need Base64Encoded usernames and passwords as the authorization credentials.

    Anyhow, I have posted the latest version of what I have for code and my current issue on StackOverflow as I had seen it takes forever (normally) for anyone to respond in this forum.
    Regarding your statement about First and Last names, I have already tested this, I am able to pull user_firstname and user_lastname from WP (once the user is logged in of course).

    Here is the link to my latest update:
    https://stackoverflow.com/questions/30928390/wordpress-insert-php-vars-into-javascript

    It would be great if you had some advice or code snippet that would help me resolve this.

    Bast Regards,
    Dennis Hall

    I do not see StackOverflow as a forum, I see it more like a platform to share generic information, that may be the reason of why your question got downvoted because it is too specific and it will (probably) not help anyone else in the future.

    Also, I still think that your code may leak sensitive information, you mentioned in the StackOverflow post that only logged in users will be able to use this vulnerable URL, but that will not prevent the leaks. Adding solutions to the issue that you are posting will encourage you to continue using that code, but you seem to have invested time writing that plugin so here is what you must use to fix the bugs [1]

    EXPLANATION

    The bug with your current code is that you are trying to extract the user’s data from the forms using the code from the “First Block” and it should be like the “Second Block”:

    # First Block.
var WP_FirstName = document.getElementById('<?php echo user_firstname ?>');
var WP_LastName  = document.getElementById('<?php echo user_lastname  ?>');
var WP_Email     = document.getElementById('<?php echo user_email     ?>');

# Second Block.
var WP_FirstName = document.getElementById('WP_FirstName').value;
var WP_LastName  = document.getElementById('WP_LastName').value;
var WP_Email     = document.getElementById('WP_Email').value;

    And the variables in the first block are missing the dollar sign, that is why you are getting a “null” every time. Also, the code is redundant, if you have hidden input fields, why not print the user’s information in the JavaScript variables and reduce the size of the HTML code? Like this:

    var WP_FirstName = '<?php echo $user_firstname ?>';
var WP_LastName  = '<?php echo $user_lastname  ?>';
var WP_Email     = '<?php echo $user_email     ?>';

    I hope you can make it work, good luck.

    [1] https://cixtor.com/pastio/mpq9rd

    Thread Starter dennishall

    (@dennishall)

    Thanks for the feedback Yorman:

    I had not thought of the idea of having the fallback user if not logged in, I’ll think about that and may implement it for demo courses and such.

    Unfortunately, based on your code, the generated URL is picking up me (the site administrator) again and generating a URL with my info in it. This is something I already had done before the code where I got the “null” in the URL. The problem with that URL is that the URL itself does not dynamically pick up the currently logged in user info.

    My objective is to have the URL pick up a WordPress front-end user (end user) person who does not have access to this form. All the solutions I’ve found and help I had received on StackOverflow have me echoing the currently logged in user (my admin user).

    Maybe it might help if I describe my target workflow:
    A person goes to my website and registers as a user (subscriber – with not administrative access).
    The subscriber user traverses to a page where I have a link on that page.
    The user clicks the link.
    The link launches URL that opens in a new window.
    The URL that is launched looks like so:
    Click here to view the Tin Can course

    For an example:
    If you go to my https://learning-templates.com website (currently under construction) and scroll to the bottom of the home page, you can click the left or right link and you will launch the same course as one or the other user. The links are static links now, but I want them to pick up whatever the logged in user information is.

    I hope this helps to clarify my objective.

    Best Regards,
    Dennis Hall

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Plugin development: Insert current_user into javacript’ is closed to new replies.