Unable to whitelist `admin_url(‘admin-post.php’)` for an admin post request

Resolved rmalviya
(@rmalviya)

7 years, 10 months ago
I’m utilizing the builtin functionality of WordPress for posting my request to admin-post.php with admin_post_nopriv_{$action} hook for non-logged in users. But when the request is sent the logged out user is redirected to login page, as expected. So, I tried to whitelist the url where request is sent i.e. admin-post.php.

But even after whitelisting the url with query parameters, the request redirects to wp-login. When I tried to debug the code, I found that in whitelist function the current $url is root url to WordPress, so it redirects back to wp-login.
Here’s what I have tried:
```
function my_forcelogin_whitelist( $whitelist, $url ) {
  // $url is root url to WordPress for admin-post.php request.
  $whitelist[] = admin_url( 'admin-post.php?' . $_SERVER['QUERY_STRING'] );
  $whitelist[] = admin_url( 'admin-post.php/?' . $_SERVER['QUERY_STRING'] );
  return $whitelist;
}
add_filter( 'v_forcelogin_whitelist', 'my_forcelogin_whitelist', 10, 2 );
```
Please help to solve this.

Viewing 7 replies - 1 through 7 (of 7 total)

Plugin Author Kevin Vess
(@kevinvess)

7 years, 10 months ago

Hi– thanks for using Force Login!

I recommend you try using the v_forcelogin_bypass filter instead. This would allow you to bypass Force Login based on any condition – just pass true when/if your posting your request.
Thread Starter rmalviya
(@rmalviya)

7 years, 10 months ago
Thanks for your reply.

Using v_forcelogin_bypass doesn’t make any difference either. The problem is that I’m getting wrong url for the request in the hooked function for bypassing. I only get root url part and all after that is stripped out. So, how can I check if the current url is the url which I want to bypass. The code I tried:
```
function my_forcelogin_bypass( $bypass ) {
    error_log( $_SERVER['REQUEST_URI'] );
    return $bypass;
}
add_filter( 'v_forcelogin_bypass', 'my_forcelogin_bypass' );
```
When I make request to admin-post.php, this outputs / in my debug.log file instead of expected path to admin-post.php. Please help.
- This reply was modified 7 years, 10 months ago by rmalviya.
- This reply was modified 7 years, 10 months ago by rmalviya.
Plugin Author Kevin Vess
(@kevinvess)

7 years, 10 months ago

I recommended you use the v_forcelogin_bypass filter because you don’t need to use the URL as the condition to bypass the login.

Is there some other condition / value you can check for to determine whether or not Force Login should be bypassed?

Thread Starter rmalviya
(@rmalviya)

7 years, 10 months ago

Thanks for instant reply.

I’m using your suggested v_forcelogin_bypass. The request is to admin-post.php and all the data is passed to it is through query parameters, so how can I check for any condition without getting any query parameters?
For checking bypassing condition I need either the current url or the query parameters to it. Please suggest solution for this.
Can you explain why it doesn’t get correct current url?

Plugin Author Kevin Vess
(@kevinvess)

7 years, 10 months ago

how can I check for any condition without getting any query parameters?

I was thinking there might be something on the backend that you could check for – but it sounds like that’s not possible?

When you submit the request using the admin_post_nopriv_{$action} hook – does your code in that hook run before Force Login redirects? Could you add the bypass filter at that point?

Can you explain why it doesn’t get correct current url?

I’m afraid I can’t explain why, at least without troubleshooting your site. As you’ve discovered yourself, $_SERVER['REQUEST_URI'] outputs / – which means at the time of when Force Login runs, it sees the root URL as what the user tried to visit.

If your code at the admin_post_nopriv_{$action} hook does run, maybe it needs to redirect to a specific URL or query string you may check for when Force Login runs?

And just to be sure, does your code work when you disable Force Login?

I hope this helps – thanks!

Thread Starter rmalviya
(@rmalviya)

7 years, 10 months ago

Thanks for your explanatory reply.

As you’ve discovered yourself, $_SERVER['REQUEST_URI'] outputs / – which means at the time of when Force Login runs, it sees the root URL as what the user tried to visit.

You’re right Kevin. After some debugging I found out that there was some other plugin which was redirecting the users to root when non-logged in users tried to access wp-admin.

I also found out that there is nothing needs to be done to bypass the admin-post.php request while your plugin is active, which is great for plugin developers. I don’t need to put any bypassing or whitelisting logic for my request to work, it just works. Earlier it was not working because the another culprit plugin on site was redirecting the wp-admin request to home for non-logged in users and after that your plugin was trying to do its work i.e. asks for login via redirecting again.

Thanks for your support. Keep doing good work.

Plugin Author Kevin Vess
(@kevinvess)

7 years, 10 months ago

Excellent – I’m glad you got it working!

Be sure to rate and review my plugin to let others know how you like it.

Thanks for using Force Login!

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Unable to whitelist `admin_url(‘admin-post.php’)` for an admin post request’ is closed to new replies.