[wp-hackers] is there a way to make sure that a shortcode can be used only by certain userroles?

Nikola Nikolov nikolov.tmw at gmail.com
Wed Nov 13 15:34:27 UTC 2013


There's a way to do that if you're using a custom function that directly
queries the database(I hope no one ever does that for normal content :) ).
If you are using wp_insert_post() or wp_update_post() - then the filter
will be applied to the content.

Are you planning on displaying some kind of a notice when you detect the
presence of the shortcode or are you still going to remove the shortcode?
If you're still going to remove the shortcode, then my suggestion would
save you one regex call(since has_shortcode() is almost the same as
do_shortcode(), except for it doesn't convert the shortcode tags to their
proper content).


On Wed, Nov 13, 2013 at 4:53 PM, Haluk Karamete <halukkaramete at gmail.com>wrote:

> Thank you all. It looks like for 3.6 and up, my arsenal would be
>
> content_save_pre<
> http://codex.wordpress.org/Plugin_API/Filter_Reference/content_save_pre>
> &
>  has_shortcode.
>
> Just to make sure... would the above 2 cover all the basis?
>
> What I care the most is the
> content_save_pre<
> http://codex.wordpress.org/Plugin_API/Filter_Reference/content_save_pre>
> section.
> The key question is;
>
> Are all POSTS & PAGES & CPTS go thru
> content_save_pre<
> http://codex.wordpress.org/Plugin_API/Filter_Reference/content_save_pre>?
> Or
> better put;
>
> Is there a  way to save a post or page without going thru the
> content_save_pre<
> http://codex.wordpress.org/Plugin_API/Filter_Reference/content_save_pre>
> ?
>
>
> On Wed, Nov 13, 2013 at 6:46 AM, John <dailyrants at gmail.com> wrote:
>
> > has_shortcode was introduced in 3.6.0. You might find that useful here.
> >
> >
> > On Tue, Nov 12, 2013 at 4:42 PM, Nikola Nikolov <nikolov.tmw at gmail.com
> > >wrote:
> >
> > > Since the regex that matches shortcodes is quite complex, I can suggest
> > to
> > > you the following VERY ugly hack :)
> > >
> > > function filter_out_protected_shortcode( $content ) {
> > > // Check to see if the current user can or can't do a specific task
> > > // it would probably be different in your case
> > > if ( ! current_user_can( 'edit_others_posts' ) ) {
> > > global $shortcode_tags;
> > > // Back-up the currently registered shortcodes
> > > $_sc_tags = $shortcode_tags;
> > >
> > > // Change the shortcode's handler to return an empty string instead of
> > the
> > > actual content
> > > $shortcode_tags = array( 'xyx' => '__return_empty_string' );
> > >
> > > // Now, since we overrided the $shortcode_tags variable
> > > // Only the [xyx] shortcode will be parsed - and it will be replaced
> > > // with an empty string :)
> > > $content = do_shortcode( $content );
> > >
> > > // Restore the original shortcode handlers
> > > $shortcode_tags = $_sc_tags;
> > > }
> > >
> > > return $content;
> > > }
> > > add_filter( 'content_save_pre', 'filter_out_protected_shortcode', 10 );
> > >
> > > So what happens here is that we hook to the "content_save_pre" filter
> as
> > > Jesse suggested.
> > > We then check if the user can use that shortcode. If they can't, we
> > > override the global $shortcode_tags variable to only contain our
> > shortcode
> > > with a callback "__return_empty_string" - which as the name suggests
> > > returns an empty string.
> > > After that, we parse the content and if the shortcode was found there -
> > it
> > > will be replaced with an empty string.
> > >
> > > This is not a perfect solution, since if the shortcode was surrounded
> by
> > > two empty lines(one before and one after), you would get three empty
> > lines.
> > >
> > > I haven't tested that code, but it should in theory work.
> > >
> > > Also - the chances are that no shortcodes would be parsed for that
> > > request(since that's a request for updating/saving a post) and you can
> > skip
> > > the copying/restoring of the $shortcode_tags variable, but I always
> > prefer
> > > to put things back together the way I found them, than to leave them
> > > messy(debugging something like that is a pain).
> > >
> > > Well, that's about it - it's an UGLY hack, but I believe that the core
> > > handling of the shortcodes is better than anything that I would come-up
> > > regex-wise(and I'm generally somewhat decent in writing those).
> > >
> > >
> > > On Tue, Nov 12, 2013 at 10:08 PM, Jesse Friedman <
> > > highfive at jesserfriedman.com> wrote:
> > >
> > > > You could filter the content when the post is saved and if the user
> > > doesn't
> > > > have the right permissions, then I strip the shortcode or present a
> > > > warning.
> > > >
> > > > you could try using
> > > >
> > http://codex.wordpress.org/Plugin_API/Filter_Reference/content_save_pre,
> > > > then maybe some regex to find the shortcode and strip it out
> > > >
> > > >
> > > > On Tue, Nov 12, 2013 at 2:57 PM, Haluk Karamete <
> > halukkaramete at gmail.com
> > > > >wrote:
> > > >
> > > > > What I mean by that is that is this...
> > > > >
> > > > > let's say there is an admin-editors-only shortcode. let's call it
> > "xyx"
> > > > > shortcode for the sake of an example.
> > > > >
> > > > > is it possible to have a contributor or author to not to be able to
> > use
> > > > > that shortcode? they all get stopped with a warning that the post
> > > cannot
> > > > be
> > > > > saved (or created)  because it contains the "xyx" shortcode!
> > > > >
> > > > > to cover all the possibilities (such as posting thru email, or thru
> > > some
> > > > > other esoteric ways) , what is the best hook(s) that I need to
> watch
> > > out
> > > > so
> > > > > that there are no loop holes left...
> > > > >
> > > > > I hope it was clear and did not confuse you...
> > > > > thank you
> > > > > _______________________________________________
> > > > > wp-hackers mailing list
> > > > > wp-hackers at lists.automattic.com
> > > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > thanks
> > > >
> > > > *jesse friedman*
> > > > jes.se.com
> > > > Book: Web Designers Guide to WordPress -
> > > > http://wdgwp.com/onamazon<http://wdgwp.com/onamazon>
> > > > Twitter: @professor <http://twitter.com/professor>
> > > > Facebook: Like<
> > > > https://www.facebook.com/pages/Jesse-Friedman/204793299545174>
> > > > _______________________________________________
> > > > wp-hackers mailing list
> > > > wp-hackers at lists.automattic.com
> > > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list