API – programmatically switch

Resolved

(@hrohh)

Hi, I have website, where I want switch user via php. I have some 50% solution like this



add_action( 'parse_query', 'test_parse_query' );
function test_parse_query( $wp_query ) {

    if ( isset( $wp_query->query['view-as-user'] ) && function_exists( 'view_admin_as' ) ) {
        if ( is_numeric( $wp_query->query['view-as-user'] ) ) {

            $request = array( 'user' => $wp_query->query['view-as-user'] );

            $view_admin_as = view_admin_as();

            //$view_admin_as->controller()->reset_view();

            $view_admin_as->store()->set_view( $view_admin_as->controller()->validate_view_data( $request ) );

            $data = $view_admin_as->controller()->validate_view_data( $view_admin_as->store()->get_view() );
            if ( $data ) {

                $meta = $view_admin_as->store()->get_userMeta( 'views' );
                // Make sure it is an array (no array means no valid data so we can safely clear it).
                if ( ! is_array( $meta ) ) {
                    $meta = array();
                }
                // Add the new view metadata and expiration date.
                $meta[ $view_admin_as->store()->get_curUserSession() ] = array(
                    'view' => $data,
                    'expire' => ( time() + (int) 86400 ),
                );
                // Update metadata (returns: true on success, false on failure).
                $view_admin_as->store()->update_userMeta( $meta, 'views', true );
            }

            wp_redirect( home_url( trailingslashit( _x( 'my-account', 'link my account', 'test' ) ) ) );
            die();
        }
    }

It work ok, but if user dont have cap “view_admin_as” and “edit_users”, it is not possible (https://github.com/JoryHogeveen/view-admin-as/wiki/Custom-capabilities). It is possible some workaround for switching user without these caps? Or can I use some filter for temporary adding them and remove after switching? Thank you for your help!

This topic was modified 7 years, 8 months ago by Hrohh.

Viewing 8 replies - 1 through 8 (of 8 total)

Plugin Author Jory Hogeveen
(@keraweb)

7 years, 8 months ago

Hi @hrohh,

Before I dive into this I’d like to know what it is you are trying to do. There might be a simpler solution to this.
It seems odd to switch users the way you propose. Not validating capabilities would be a serious security leak.

Let me know!
Regards, Jory
Thread Starter Hrohh
(@hrohh)

7 years, 8 months ago
Ok I see. I have website, where users have roles
– member
– validator
– editor
– administrator

Member has UX dashboard, where they add daily data – KM and footsteps. Because users can occasionally add false data, the validator logs in to their account and deletes them. But, member and validator dont have any CAPs in WP (no “read”). Now I have to figure out, how can i switch user without “edit_users” cap. Because maybe (i dont know) with REST API they can manipulate with users internal data ( like changing password etc ). My APP doesnt allow that – i have own ajax request with function, where I check user on base “role”.

There is screen -> https://ibb.co/e3bFb9

Thank you very much.
- This reply was modified 7 years, 8 months ago by Hrohh.
Plugin Author Jory Hogeveen
(@keraweb)

7 years, 8 months ago

Hello @hrohh,

I get it, but don’t you think it’s better to just allow the validator to edit member data from their own account?
So they would have interface where they can select a member and view/change it’s data.
This way you could even create a revision history to see who made the changes.

This would then be unrelated to View Admin As of course but I think it would be a better solution when looking at flexibility and security.
Let me know what you think!

If you really want to switch using VAA, please take a look at user_has_cap filter. You can add capabilities to a user without storing them in the DB.

As far as updating the view. I can create an API function in the next release where you can easily update the current view. This will ensure backwards compatibility in case the storage might change in the future.

Thanks! Jory
Plugin Author Jory Hogeveen
(@keraweb)

7 years, 8 months ago
@hrohh,

This is a new API method idea for setting the current view:
VAA_API::update_view( $view )
https://github.com/JoryHogeveen/view-admin-as/commit/ab9808d45b0cf6055a5f0c5a3fa74be76bcefa0c

Dev branche:
https://github.com/JoryHogeveen/view-admin-as/tree/dev

Let me know what you think of my previous comment (and idea).

Thanks, Jory

UPDATE, your code can then be simplified:
```
add_action( 'parse_query', 'test_parse_query' );
function test_parse_query( $wp_query ) {
    $view_as_user = $wp_query->get( 'view-as-user', false );

    if ( is_numeric( $view_as_user ) && class_exists( 'VAA_API' ) ) {
        $view = array( 'user' => $view_as_user );

        $success = VAA_API::update_view( $view );
        // if ( $success ) { check?? }

        wp_redirect( home_url( trailingslashit( _x( 'my-account', 'link my account', 'test' ) ) ) );
        die();
    }
}
```
- This reply was modified 7 years, 8 months ago by Jory Hogeveen.
- This reply was modified 7 years, 8 months ago by Jory Hogeveen.
- This reply was modified 7 years, 8 months ago by Jory Hogeveen.
- This reply was modified 7 years, 8 months ago by Jory Hogeveen.
Thread Starter Hrohh
(@hrohh)

7 years, 8 months ago
Thank you so much! It is switching user :))

Now I have trouble with CAPS. I removed “view_admin_as” and “edit_users” from caps in DB (via plugin https://cs.ww.wp.xz.cn/plugins/members/ ) and use filtering via user_has_cap
```
add_filter( 'user_has_cap', 'test_user_has_cap', PHP_INT_MAX, 3 );
function test_user_has_cap( $allcaps, $cap, $args ) {
    $allcaps['view_admin_as'] = true;
    $allcaps['edit_users'] = true;

    return $allcaps;
}
```
Switching user not working. Im logging $allcaps, $cap, $args to txt file. No “view_admin_as”/”edit_users”, only some caps for editing post.

Thank you
- This reply was modified 7 years, 8 months ago by Hrohh.
- This reply was modified 7 years, 8 months ago by Hrohh.
Plugin Author Jory Hogeveen
(@keraweb)

7 years, 8 months ago
Hi @hrohh,

Is this filter always active? And I assume it’s not a multisite/network?

Where are you adding this code? Please make sure that this filter is active before VAA get’s loaded (action: plugins_loaded priority -99999). Keep in mind that this is before the theme is loaded so adding it in your theme won’t work.

Let me know!
Jory

PS:
I’d still like to add, and I can’t stress this enough.. please make sure you add the appropriate checks to validate whether a user (validator) should be able to access a member.
In the example code you simply add those capabilities to all users so I assume this is example code?
Modifications like this can easily pose security issues!
- This reply was modified 7 years, 8 months ago by Jory Hogeveen.
Thread Starter Hrohh
(@hrohh)

7 years, 8 months ago
Thank you very much. I have added to functions.php in theme – sorry.

I have validation like this
```
function user_challenge_is_coordinator() {
    $user = wp_get_current_user();
    $is_coordinator = false;

    if ( array_intersect( array( 'administrator', 'coordinator' ), $user->roles ) ) {
        $is_coordinator = true;
    }
    if ( ! $is_coordinator ) {
        if ( function_exists( 'view_admin_as' ) ) {
            $view_admin_as = view_admin_as();
            $view_admin_as_store = $view_admin_as->store();
            if ( $view_admin_as_store->get_selectedUser() ) {
                $is_coordinator = true;
            }
        }
    }
    return $is_coordinator;
}

add_action( 'parse_query', 'test_parse_query' );
function test_parse_query( $wp_query ) {
    if ( isset( $wp_query->query['view-as-user'] ) ) {
        if ( is_numeric( $wp_query->query['view-as-user'] ) && class_exists( 'VAA_API' ) && is_user_logged_in() && user_challenge_is_coordinator() ) {

            $user_maybe = get_userdata( $wp_query->query['view-as-user'] );

            if ( !empty( $user_maybe ) && array_intersect( array( 'member' ), $user_maybe->roles ) ) {

                $view = array( 'user' => $wp_query->query['view-as-user'] );

                $success = VAA_API::update_view( $view );
            }
        }
        wp_redirect( home_url( trailingslashit( _x( 'my-account', 'my link', 'test' ) ) ) );
        die();
    }
}
```
Thank you so much for you help!
Plugin Author Jory Hogeveen
(@keraweb)

7 years, 8 months ago
Hello @hrohh,

No problem! You could simply add that code as a must-use plugin (wp-content/mu-plugins/your-file.php).

I’d also do the same with the capability modifications:
```
add_filter( 'user_has_cap', 'test_user_has_cap', PHP_INT_MAX, 3 );
function test_user_has_cap( $allcaps, $cap, $args ) {
    if ( user_challenge_is_coordinator() ) {
        $allcaps['view_admin_as'] = true;
        $allcaps['edit_users'] = true;
    }

    return $allcaps;
}
```
I’ll mark this issue as resolved now!
If you need help with anything else let me know! I’m not 100% sure when 1.8.3 will be release but you can follow and contribute development on GitHub anytime!

Also, please consider leaving a nice review, it will help the plugin grow 🙂

Thanks! Jory
- This reply was modified 7 years, 8 months ago by Jory Hogeveen.
- This reply was modified 7 years, 8 months ago by Jory Hogeveen.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘API – programmatically switch’ is closed to new replies.