Securing components from non logged in users
-
I need to be able to limit access to certain components, such as members & groups to only users who have logged in. Other than changing my the themes to do a check on logged in users which I don’t really want to do as this limits what I can display. For example I still want to be able to display the site wide activity widget but if a non-logged in user clicks on a link that takes them to a member or group area they are prompted to log in.
I have had a hunt around but do not see a a hook in Buddypress that does a security check like this. Am I missing something?
Thanks!
-
bp doesn’t have that type of security system yet.
ok thanks at least I was not missing anything.
I have been thinking about how to do this myself but without a major hack to the core bp I do not see any way to implement something like that.
I don’t think it would be a major hack. More than likely you don’t even need to touch the core. bp looks for a bp-custom.php file in the /mu-plugins directory and if it exists it loads it before all else.
You could check the current component var in bp and see if they are logged in or not. Lemme go try something.
OK. I think I have a simple and quick solution for you. Something along the lines of this:
function oci_restrict_access(){
global $bp;
if ((MEMBERS_SLUG == $bp->current_component || BP_GROUPS_SLUG == $bp->current_component) && !is_user_logged_in()){
die(‘no access’);
}
}
add_action( ‘wp’, ‘oci_restrict_access’, 3 );
We can stick that in bp-custom.php. Gimme about a couple of hours to finish this and do some testing. I gotta pack up shop here and move to a different location at the moment.
Be back.
OK. Don’t use the code above obviously.
Try this:
function oci_restrict_access(){
global $bp, $bp_unfiltered_uri;
if (!is_user_logged_in() &&
(MEMBERS_SLUG == $bp_unfiltered_uri[0] && !empty( $bp->current_action ) ||
BP_GROUPS_SLUG == $bp->current_component && !empty( $bp->current_action ))){
bp_core_redirect( $bp->root_domain );
}
}
add_action( ‘wp’, ‘oci_restrict_access’, 3 );
That should restrict any user who is not logged in from going anywhere in /members or /groups except for the members and groups directories. It sends them back to the site home page.
If you don’t want visitors seeing the directories then remove the
&& !empty( $bp->current_action )
parts in that function. $bp->current_action is anything after /members and /groups. The directories get triggered by just /members and /groupsIf you don’t have a file called bp-custom.php in your /mu-plugins directory then create one and put that in there. If you do have one just drop that code in there.
You can change where the function sends them by replacing the bp_core_redirect( $bp->root_domain ); statement with something of your choosing. I just used that for testing. You can make them end up where ever you want:
get_bloginfo('siteurl') . '/wp-login.php?redirect_to=' . urlencode( $bp->root_domain )
I haven’t tested that but I stole that from the admin bar login code.
Lemme know how it works for ya.
Great! I dreamt about something like the last night but your implementation is nice a simple. I was going to look at adding a much more complex option.
I will implement when I get back from my run & let you know.
Just an update it works nicely. Now to integrate it into a ThickBox popup.
Can you make this has a plugin?
Awesome Burt!
thanks for making this
here’s a quick question
is there a way to echo ” you must be logged in to view this ” ;
before redirecting to the home-page/login page
?
something like this?
‘
echo “You must be Logged-In to view this page”;
sleep[5];
bp_core_redirect( $bp->root_domain );
‘
how would I add additional “Areas” like the /events page that contains the member created events stuff (the bp-events plugins)
I want that hidden as well….
enlightnemental1, to add more restricted areas you just add to the ‘or’ list of url components. If bp-events plugin adds itself to bp as a component then try this:
[snip]
if (!is_user_logged_in() &&
(MEMBERS_SLUG == $bp_unfiltered_uri[0] && !empty( $bp->current_action ) ||
BP_GROUPS_SLUG == $bp->current_component && !empty( $bp->current_action ) ||
'events' == $bp->current_component
[endsnip]It all depends on the url of what you want to restrict. The above chunk of code will restrict mysite.org/members, mysite.org/groups, mysite.org/events and not the member or groups directories.
gpo1 you just need to create a php file and drop it in /mu-plugins instead of putting the code in bp-custom.php. You can use the plugin header below:
/*
Plugin Name: bpRestrict – BuddyPress Plugin
Plugin URI: http://code.ourcommoninterest.org/
Description: Restricts non-logged in users from certain areas
Author: Burt Adsit
Version: 0.1
Author URI: http://code.ourcommoninterest.org/
License: GNU GENERAL PUBLIC LICENSE 3.0 http://www.gnu.org/licenses/gpl.txt
*/
yes sir,
that worked great!
I’ve edited the original code to:
‘
echo “You must be Logged-In to view this page”; //displays message
exit(); //stops page from loading
‘
but I want it to redirect after echoing the above line
anyone?
(Thanks again Burt)
You probably could put some kind of delay in there before the redirect: sleep(10); for a 10 second delay.
i did exactly that….. and it doesn’t work
‘
echo “you must be logged in sucka!”;
sleep(4);
bp_core_redirect( $bp->root_domain );
exit();
‘
the above echos the text…. but doesn’t seem to complete the redirect
hmmm. I’ve gotta take off for awhile here but you might want to investigate something like this to replace the bp_core_redirect() call: http://www.internetofficer.com/seo/html-redirect/
(from link above)
The HTML redirect allows to introduce a delay before the redirection is performed. It is sometimes called META refresh redirect.
That would mean writing your own redirect() fn. Maybe the normal wp redirects have a delay option?
I took a slightly different approach:
* redirected them to the register page adding a flag to the query string
* then in my theme added a some code to catch if the flag was set and if so
added this to my register page just before the bp_core_signup_do_signup() call.
jQuery(document).ready(function () {
setTimeout(function(){ jQuery(“#error”).fadeOut(“slow”); }, 3000);
});
You can only view this information if you are a registered user.
Either login or register to continue.
can you explain a bit more on how to use that script
@Imgoel in my bp-custom.php I put:
function js_restrict_access(){
global $bp, $bp_unfiltered_uri;
if (!is_user_logged_in() && (MEMBERS_SLUG == $bp_unfiltered_uri[0]
|| BP_GROUPS_SLUG == $bp->current_component || BP_BLOGS_SLUG == $bp->current_component)){
bp_core_redirect( get_option(\\\'home\\\') . \\\"/register?s=1\\\");
}
}
add_action( \\\'wp\\\', \\\'js_restrict_access\\\', 3 );Then in my theme I put the following in register.php:
<?php
if($_REQUEST[\\\"s\\\"]){?>
<script type=\\\"text/javascript\\\">
jQuery(document).ready(function () {
setTimeout(function(){ jQuery(\\\"#error\\\").fadeOut(\\\"slow\\\"); }, 3000);
});
</script>
<div id=\\\"error\\\" class=\\\"error\\\">
<p>You can only view this information if you are a registered user. Either login or register to continue.</p>
</div>
<?php } ?>
<?php bp_core_signup_do_signup() ?>I have this:
<?php
function oci_restrict_access(){
global $bp, $bp_unfiltered_uri;
if (!is_user_logged_in() &&
(MEMBERS_SLUG == $bp_unfiltered_uri[0]
|| BP_GROUPS_SLUG == $bp->current_component
|| 'ask/' == $bp->current_component
))
{
bp_core_redirect( $bp->root_domain );
}
}
add_action( 'wp', 'oci_restrict_access', 3 );
?>But it still goes to the ASK page.
Am I doing something wrong?
?
Has this been resolved? Is there now a working plugin based on the code above?
In my site the members and groups sections should definitely be members-only. This is essential stuff that should be a default part of the Buddypress package imho. What’s the point of signing up for a network if everybody has access anyway?
There’s a member access plugin here, but it has no settings for the members and groups sections in Buddypress.
This plugin only works for “pages”.
Is there a way to extend one of these plugins?
Yes i tried burtadsits code in my bp-custom.php but no joy.. just get a few php errors in my header..
Warning: Cannot modify header information – headers already sent by (output started at /home/ourbour/spotskenya/wp-content/plugins/buddypress/bp-custom.php:9) in /home/ourbour/spotskenya/wp-content/plugins/wordpress-mobile-plugin/wordpress-mobile.php on line 1658
Warning: Cannot modify header information – headers already sent by (output started at /home/ourbour/spotskenya/wp-content/plugins/buddypress/bp-custom.php:9) in /home/ourbour/spotskenya/wp-content/plugins/wordpress-mobile-plugin/wordpress-mobile.php on line 1659
Warning: Cannot modify header information – headers already sent by (output started at /home/ourbour/spotskenya/wp-content/plugins/buddypress/bp-custom.php:9) in /home/ourbour/spotskenya/wp-content/plugins/wordpress-mobile-plugin/wordpress-mobile.php on line 1660
Is there anything else that could do this.. im sure i ahve come accros a plugin from nicola??
i also tried Mspecht one in <?php ?> but it didnt work either??
NOTE: to people running the latest trunk or anything past rev 1273 the constant MEMBERS_SLUG is no longer valid and the oci_restrict_access() fn will not work. Change MEMBERS_SLUG to BP_MEMBERS_SLUG and it’ll work again. The constants changed.
This works great for me.. Redirects people who click on yoursite.com/groups/…. to my signup.php (change where you want to go) the directory for the groups will show
but strangely its is different for the members urls.. even the members directory redirects to my signup.php
1) can the members directory be visible but not anything after that?? like the groups.
2) can any one surgest a nice else or other statment that gives a message on the actual page saying something like you have to login or sign up to do this.
<?php
function oci_restrict_access(){
global $bp, $bp_unfiltered_uri;
if (!is_user_logged_in() &&
(BP_MEMBERS_SLUG == $bp_unfiltered_uri[0] && !empty( $bp->current_action ) ||
BP_GROUPS_SLUG == $bp->current_component && !empty( $bp->current_action ))){
bp_core_redirect(get_bloginfo(‘siteurl’) . ‘/signup.php’);
//bp_core_redirect(get_bloginfo(‘siteurl’) . ‘/wp-login.php?redirect_to=’ . urlencode( $bp->root_domain ));
}
}
add_action( ‘wp’, ‘oci_restrict_access’, 3 );
?>
- The topic ‘Securing components from non logged in users’ is closed to new replies.