[wp-hackers] Delete Row - Refreshes Page but not DB

Gregory Lancaster greglancaster71 at gmail.com
Sun Oct 20 00:53:59 UTC 2013 

The ajax delete fails on non admin accounts.  The form inserts an entry
into a custom table so I think $wpdb access is restricted to admins- which
I do not want to change.  However these people need the ability to enter
data.  I apologize for my lazy post before by the way, frustration was
setting in.

As for the right to delete or post, I currently am matching the
current_member against the current_user->ID.  That seems to control who can
delete what on what users page.  Maybe there is a better way? That is the
only connection to the profile page owner I have though.

I feel dumb asking but, maybe you would tell me what part of the codex I
need to read to modify the user roles for posting?  This is a little
confusing because the form is unattached to wordpress other than it posts
withinthe wpdb.  For that reason the ability to delete and add entries
(seems) as though it would not be controlled by a user role.

I do not want to grant all subscribers the ability to create and delete
posts for the sake of this form.

On Saturday, October 19, 2013, Nikola Nikolov wrote:

> What do you mean by "ajax is not supported unless I register people as
> admins"?
>
> Does the AJAX never occur, or does the AJAX not trigger the deletion of the
> rows?
>
> If the AJAX doesn't occur - then you should look at the code that prints
> the AJAX itself - you probably have some sort of a check there that decides
> whether to print out the JS or not.
>
> If the deletion of the rows doesn't happen, then it's the code that deletes
> the rows that doesn't work.
>
> Also - if you're going to let all kind of users delete data, you should
> make sure that they actually have the right to delete that data or not(for
> instance check if "is_super_admin()" and if that's true - allow them to
> delete without further checks - if it's false, check if the record they're
> trying to delete actually belongs to them).
>
>
> On Sat, Oct 19, 2013 at 11:37 PM, Gregory Lancaster <
> greglancaster71 at gmail.com <javascript:;>> wrote:
>
> > Well it finally all works... and then I tested the user accounts and ajax
> > is not supported unless I register people as admins.   I know I can add a
> > user role, but is it possible to give them the ability to use ajax?
> >
> >
> > On Sat, Oct 19, 2013 at 11:32 AM, Gregory Lancaster <
> > greglancaster71 at gmail.com <javascript:;>> wrote:
> >
> > > like this?
> > >
> > > *jQuery( document ).ready( function( $ ) { *
> > > *        *
> > > *        // When a button is clicked within the table with
> id="mytable" *
> > > *        $( '#mytable button' ).click( function( event ) { *
> > > * *
> > > *                event.preventDefault(); *
> > > *
> > > *
> > > *                if ( ! confirm( 'Are you sure you want to continue' )
> )
> > *
> > > *                        return; *
> > > *
> > > *
> > > * var $button = $(this);*
> > > * var nonce = $( this ).attr('data-nonce');*
> > > *                **                **var rowID = $( this
> ).attr('value');
> > > *
> > > * var file = $( this ).attr('file'); *
> > > * *
> > > * $button.closest("tr").css('background-color', '#C60').fadeIn();*
> > > * *
> > > *
> > > *
> > > *                var data = { *
> > > *                        'action': 'my_delete_row_action', *
> > > *                        'id': rowID,*
> > > * 'file': file*
> > > *                } *
> > > *
> > > *
> > > *                $.post( *
> > > *                        ajaxurl, *
> > > *                        data,*
> > > *                        function ( response ) { *
> > > *                                if ( ! response.success ) { *
> > > *
> > > *
> > > *                                        alert( 'Failure!' ); *
> > > *                                } *
> > > *                                        *
> > > * $button.closest("tr").hide();*
> > > *                                *
> > > *                        } *
> > > *                ); *
> > > *        }); *
> > > *}); *
> > > *
> > > *
> > > *
> > > *
> > > *
> > > *
> > > and my remove_row function would function like this?
> > >
> > > *function my_delete_row_action() {*
> > > * global $wpdb;*
> > > *
> > > *
> > > * if ( ! wp_verify_nonce( $_POST['nonce'], 'delete_' . $id . '_' .
> $file
> > > ) ) {*
> > > *    exit( 'Cheatin, huh?' );*
> > > *}*
> > > *
> > > *
> > > * $id = $_POST['id'];*
> > > * $file = $_POST['file'];*
> > >
> > > seems to fail regardless if I change an item or not.
> > >
> > >
> > > On Sat, Oct 19, 2013 at 11:16 AM, Nikola Nikolov <
> nikolov.tmw at gmail.com
> > >wrote:
> > >
> > >> So something like this is what you should use instead:
> > >>
> > >> <button type="submit" name="deleteItem" value="<?php echo $row['id'];
> > ?>"
> > >> file="<?php echo $row['file']; ?>" data-nonce="<?php echo
> > wp_create_nonce(
> > >> 'delete_' . $row['id'] . '_' . $row['file'] ); ?>"
> > >> class="delete-box"><span
> > >> class="glyphicon glyphicon-remove"></span></button>
> > >>
> > >> You would have to add the value of the data-nonce attribute to your
> AJAX
> > >> request(in the below example it's value is set to the 'nonce'
> parameter)
> > >> and then on the PHP side of the request, you should do this:
> > >>
> > >> if ( ! wp_verify_nonce( $_POST['nonce'], 'delete_' . $id . '_' .
> $file )
> > >> ) {
> > >>     exit( 'Cheatin, huh?' );
> > >> }
> > >>
> > >> This way if someone changes the value of the file OR "value"
> attributes,
> > >> they won't be able to delete the item they were trying to delete.
> > >>
> > >>
> > >> On Sat, Oct 19, 2013 at 8:56 PM, J.D. Grimes <jdg at codesymphony.co>
> > wrote:
> > >>
> > >> > Yes, you should be using nonces -
> > >> > http://codex.wordpress.org/WordPress_Nonces
> > >> >
> > >> > On Oct 19, 2013, at 1:53 PM, Gregory Lancaster <
> > >> greglancaster71 at gmail.com>
> > >> > wrote:
> > >> >
> > >> > > Yep, I had to add true.  So all this is executing based on the
> > values
> > >> of
> > >> > > this button:
> > >> > > <button type="submit" name="deleteItem" value="<?php echo
> > $row['id'];
> > >> ?>"
> > >> > > file="<?php echo $row['file']; ?>" class="delete-box"><span
> > >> > > class="glyphicon glyphicon-remove"></span></button>
> > >> > >
> > >> > > But couldnt someone just change the values of the fileid or rowid
> > and
> > >> > > delete other peoples content?
> > >> > >
> > >> > >
> > >> > > On Sat, Oct 19, 2013 at 10:40 AM, J.D. Grimes <
> jdg at codesymphony.co>
> > >> > wrote:
> > >> > >
> > >> > >> Hey man, that's tough. I'm glad you've got the code working
> though.
> > >> > >>
> > >> > >>> I finally got JDs code working but I have to place this in my
> > >> functions
> > >> > >> for
> > >> > >>> ajax to work:
> > >> > >>>
> > >> > >>> add_action('wp_head','custom_head');
> > >> > >>>
> > >> > >>> function custom_head()
> > >> > >>> {
> > >> > >>>      echo '';
> > >> > >>> }
> > >> > >>>
> > >> > >>>
> > >> > >>> Is that alright?  Otherwise I get ajaxurl undefined error.
> > >> > >>
> > >> > >> I'm not sure why this would have an effect… If you are using the
> > >> code on
> > >> > >> the front end of your site, ajaxurl won't be defined - it is only
> > >> > defined
> > >> > >> by default in the administration panels. You would need to use
> > >> > >> wp_localize_script().
> > >> > >>
> > >> > >>> Additionally, the json response works too! However one query
> > always
> > >> > >> fails.
> > >> > >>>
> > >> > >>> $file = $_POST['file'];
>

More information about the wp-hackers mailing list