[theme-reviewers] Theme submission fails on WARNING

Otto otto at ottodestruct.com
Fri Jun 24 21:57:14 UTC 2011


On Fri, Jun 24, 2011 at 4:44 PM, Philip M. Hofer (Frumph)
<philip at frumph.net> wrote:
> I got around fopen by using file() instead and imploding it (thanks otto and
> pross for the idea)

That only helps for reading files, not for writing them.

And while I didn't go into it in my WP_Filesystem tutorial, there is a
slightly alternative way to not have to display that form. It's not
the safest of things, but it's reasonable if you want to present the
user with as little difficulties as possible.

http://ottopress.com/2011/tutorial-using-the-wp_filesystem/

If you read the tutorial, you can see where it is doing
request_filesystem_credentials() call. If you delve into that
function, you can see that it does its tests and such, but what it's
really looking for here when it can't do direct calls and is forced to
fall back to the FTP methods is  $_POST['hostname'],
$_POST['username'], and $_POST['password'].

So if you don't want your user to see the separate FTP settings screen
every time, then you can do something like this.

// first, ignore this if we can write files with the "direct" method,
which needs no credentials
if ('direct' != get_filesystem_method(array(), false) ) {
  // display hostname, username, and password inputs on my form..
  // as long as they use those names and the form is a POST form,
  // the subsequent call to request_filesystem_credentials will use
  // them and not display an extra form to the user
}

That lets you sort of nicely integrate the credentials form into your own pages.

If you wanted, you could even ask the user once, then store them in
the database, and put them back onto the form in hidden inputs. I do
not recommend this for security reasons, but it would work. The
problem is that you have to store the credentials, including the
password, in the database for this approach.

You still have to detect the case when the given credentials are
wrong, so the $form_fields option should be filled in properly and the
if ( ! WP_Filesystem($creds) ) check still needs to be made, and the
error in credentials case handled properly by displaying your form
again to the user, but this method solves some theme devs objections
to using the WP_Filesystem.

-Otto


More information about the theme-reviewers mailing list