How to disable wordpress admin bar for all users except
You can explore the back-end as much as you want, but attempting to navigate to the front-end yields nothing. I assume you have it backwards in your study. Your code can never, ever execute in the backend.
I skipped the obvious when I was first writing this response. You shouldn’t have to send a “not logged in” user to the login screen from the backend. WordPress will do this automatically—or should, unless your site has been tampered with in some way.
Following the advice of @s ha dum, who pointed out that the user must be logged in anyway to access the back end, and that ‘template redirect’ doesn’t function in the backend (despite the fact that my code only produced console messages in the back end), I’ve simplified the code as follows:
WordPress: dynamic template file for subpage
WP Private Content Plus is a plugin that allows you to keep sensitive site content secret from particular user functions or groups of users. It was vulnerable to an unauthenticated options change vulnerability, which could result in website redirection, stored XSS (front-end and back-end), data leakage, and a denial of service.
The code will check to see if the current class has a “save_. $_POST[‘wppcp tab’]” function and, if so, will call it. There isn’t a capacity scan, and there isn’t a protection nonce. We can see that the plugin appears to rely solely on the lesser-known WordPress is admin feature, which, contrary to its name, does not verify whether or not the user is an administrator.
The script includes 13 more “save_*” functions that can be called from the above code and are used to save the plugin settings. They’re all missing the skill review as well. Here are a number of examples:
Setting $_POST[‘wppcp tab’] to “settings page” causes the save settings page function to call itself in a loop, which can only end when PHP runs out of memory and crashes:
WordPress: problems with jquery and is_admin() (2 solutions
I’ve seen this mistake many times, and I’m sure I made it myself years ago. The is admin() function provided by WordPress as a core function does not check whether the current user is an administrator or has administration rights; rather, it checks whether the context is the WordPress administration hand.
As a result, using is admin() to cover special administrative functions is completely incorrect and extremely dangerous. Without any other safeguards, a registered user with the lowest privileges calling an administrative page will succeed.
When you use the current user can(…) function for a position, it only returns true if all of the role’s capabilities are met. So, if current user can(‘administrator’) returns true, you can presume that current user can(‘editor’) will also return true.
This isn’t the case. In a clean WP installation, this is valid, but if a function editor is used, an administrator’s capabilities can not include all of the capabilities granted to editors, causing current user can(‘editor’) to return false.
WordPress: require custom post type if is_admin
To change only image markup at the front end, the plugin Lazy Loading Sensitive Images needs to check whether a request was made in the backend. The function is admin() decides if a backend page was requested – this was the plugin’s first solution.
However, a user discovered a weakness in the function: it returns true for AJAX requests because they use the wp-admin/admin-ajax.php file. Since is admin() returns valid, the lazy loading plugin did not function for front end content that was added via AJAX.
With that in mind, the solution must provide a search for AJAX requests. The first attempt at a function to replace the is admin() calls looked like this (kindly provided directly with the issue report by user zitrusblau):
That worked on the front end, but the same user later discovered a new problem with the plugin: the post thumbnail function in the backend is now lazy loaded. As a result, a newly selected featured picture did not appear in the meta box until the post was saved.