Members – Admin Access is blocking frontend calendar views

11 Replies ·

  1. Hi Justin,

    I just bought and installed Members – Admin Access and it all went fine once I got it enabled, with a couple glitches.

    The biggest glitch is that when a user whose role is blocked via Members – Admin Access can no longer access any but the main calendar view in the DP Pro Event Calendar plugin. This is all on the front end. If you click the button to enable Weekly view, the page loads the home page into the frame. Ditto for day view, category and location filters, and the like.

    We do need logged in users to be able to use the calendar, which is essentially broken for them unless they click on nothing….

    Can you help us figure out how to get the right permissions so that users without admin access can still use our calendar?

    thanks!

  2. Justin Tadlock

    Admin access is based on actually visiting the admin. That means that the calendar is doing something very weird/wrong if this is happening.

    It’s possible that it’s attempting to use Ajax but forgetting to set the nopriv Ajax for the front end. I doubt that’s the case but wouldn’t rule it out just yet.

    What I need is for you to send over a copy of the plugin ZIP file via email to me. I’ll be happy to look it over.

  3. Lise LePage

    Actually, I think it is using Ajax to load the alternative frontend calendar views. I’ll send over the zip file for you — thanks for checking it out for me.

  4. Justin Tadlock

    You can send it to justintadlock [at] gmail.com.

    You should already have a ZIP copy of the plugin from where you downloaded it. If I’m not mistaken, it’s from CodeCanyon. Just whatever you get from there is fine.

    Or, you can use a program like 7-Zip or whatever zip functionality that exists on your computer to create a ZIP file.

  5. Lise LePage

    I tried that and the email bounced….

    552-5.7.0 This message was blocked because its content presents a potential
    552-5.7.0 security issue. Please visit
    552-5.7.0 https://support.google.com/mail/?p=BlockedMessage to review our
    552 5.7.0 message content and attachment content guidelines. p1si5894119pgc.280 – gsmtp

    It’s a pay plugin and although zip files are allowed by Google, there may have been something in the compressed directory it didn’t like. Hmmm, is there another way to get this file to you?

  6. Justin Tadlock

    Here’s the steps I took:

    1. Created a couple of events.
    2. Created a “calendar” shortcode and made sure weekly, daily, etc. buttons were shown.
    3. Added the [dpProEventCalendar id=1] shortcode to a page.
    4. Viewed the page with a logged-in user who doesn’t have admin access.

    I was able to view monthly, weekly, and daily views.

    Weekly events calendar view

    Are my steps correct? I’m not that familiar with the plugin.

    Also, be sure to deactivate any other plugins while testing. It wouldn’t hurt to check with one of the WP Twenty* themes either.

    It’s near the end of my work day right now. However, I’ll be back in the morning and will do some more testing.

  7. Lise LePage

    Thanks — I’m glad it worked for you. It works for me too, as long as I’m in the approved group for Admin Access. But when I log in as a Contributor with Admin Access turned off , I get two Ajax related errors in the console (see below).

    Our theme requires Jquery so we’re already loading that and if the calendar is too, it could create issues. But then it seems odd to me that it would work ever in that case. And yet it does.

    Do the errors below tell you anything? I’m happy to try some things, so if anything jumps out at you, please let me know.

    [Error] SyntaxError: Unexpected token ‘<'
    ajax (jquery.js:4:22217)
    _evalUrl (jquery.js:4:23296)
    Ha (jquery.js:3:21253)
    append (jquery.js:3:22794)
    (anonymous function) (jquery.js:3:24077)
    Y (jquery.js:3:4520)
    html (jquery.js:3:23662)
    (anonymous function) (jquery.dpProEventCalendar.js:1642:99)
    i (jquery.js:2:27455)
    fireWith (jquery.js:2:28215)
    y (jquery.js:4:22733)
    c (jquery.js:4:26927)

    [Error] TypeError: null is not an object (evaluating 'resp[1]')
    ajax (Anonymous Script 1 (line 883))
    (anonymous function) (Anonymous Script 2 (line 14))
    i (Anonymous Script 1 (line 2:27455))
    fireWith (Anonymous Script 1 (line 2:28215))
    ready (Anonymous Script 1 (line 2:30018))

    thanks!

  8. Lise LePage

    I stumbled on a post which offers a function to restrict admin access — the author mentions something he calls “the ajax trap.” Could this be our problem?

    The site says this: Every ajax call handled by WordPress is sent to http://www.yoursite.com/wp-admin/wp-ajax.php which is an admin page.

    His code explicitly checks for Ajax to get around that issue.

    I’m sure you already knew this, but it jumped out at me because we’re getting Ajax errors and Ajax is failing for users blocked from admin.

    Thanks again for any advice you may have!

  9. Justin Tadlock

    I’m leaning toward this being an Ajax issue. So, I’ve got a bit of code I want you to try adding to your theme’s functions.php:

    add_action( 'admin_init', function() {
    
        if ( defined( 'DOING_AJAX' ) && true === DOING_AJAX ) {
    
            remove_action( 'admin_init', 'Members\AddOns\AdminAccess\access_check', 0 );
        }
    }, PHP_INT_MIN );
    
  10. Lise LePage

    Hi again,

    I tried your code snippet with high hopes, but unfortunately the calendar was still broken for non-admins. So I let the problem percolate overnight, and this morning, I decided to just disable the Admin Access add-on and use this code snippet:

    add_action( 'init', 'our_dashboard_access_handler');
    
    function our_dashboard_access_handler() {
    
       // Check if the current page is an admin page
       // && check if the current user is a non-admin
       // && and check that this is not an ajax call
       if ( is_admin() && !current_user_can( 'activate_plugins' ) && ! ( defined( 'DOING_AJAX' ) && DOING_AJAX )) {
          wp_redirect( home_url() );
          exit;
       }
    }
    

    That worked so I think we’re most of the way there. I have another code snippet to test which will keep non-admins from seeing the admin toolbar. My first test did not go well…. You know how it is.

    I do appreciate your help and I would have liked to use your plugin as it would keep permissions all in one place, but our situation is complicated and although we’re not married to that calendar plugin, we put a lot of time and effort into selecting and testing it, and we don’t want to give it up at this point.

    Thanks again!

  11. Justin Tadlock

    I’ll keep digging. It’s tough to figure out because I haven’t been able to reproduce the issue on my site.

    I’ll try to change some code in the plugin later today and let you give it a test.