- This topic has 5 replies, 2 voices, and was last updated 4 years, 6 months ago by Tom.
November 30, 2018 at 11:46 pm #745203Jaakko Pöntinen
I have a custom post type which corresponds to, say, single-xyz.php.
I’m getting the logged in user’s ID by means of: get_current_user_id() and the author of the current post by means of get_the_author_meta( ‘ID’ ). I’m placing these after while ( have_posts() ) : the_post(); in the single-xyz.php file, which is just a copy of the original single.php file from GP.
This works like a charm, I’m outputting those values in spans to see the code in action.
Now, the questions!
A:Am I inserting my code in the first possible place in the loop to get the post author ID?
B: (more important one): Is this a secure way of determining whether the ID’s of logged in user and post author match – I intend to wrap the content echoing part of single-xyz.php into an if-statement comparing the logged in user’s ID and the post author ID.
The goal, as you can surely deduce, is to create a secure place for users to view proprietary content. Is this method secure?
Thank you for a stellar theme. Still love it, after 4-or-some years! You rock.December 1, 2018 at 8:32 am #745510TomLead DeveloperLead Developer
1. You may even be able to use those functions outside the loop, as long as there’s only one post on the page.
2. I don’t see any issues with doing it this way at all 🙂
Glad you’re still enjoying GP!December 1, 2018 at 8:58 am #745527Jaakko Pöntinen
Cheers for the answer. I have to go a step further still, taking unscrupulous advantage of your expertise: I’m going to use Press Permit and Capability Manager Enhanced to restrict users’ permissions to view/edit their posts only (plus of course all public material). I’ve used them succesfully in the past.
Sooo… Is this User ID check vs Post author ID check that I’ve dreamt up necessary at all? I’ve thought of it as an extra level of protection. But is it completely redundant? The information I’ll be storing is sensitive.
The reason I though it COULD be a good idea is that it’s a really simple way to decide whether to send content from the server to the user or not. But yeah, is it redundant?
– JPDecember 1, 2018 at 6:48 pm #745715TomLead DeveloperLead Developer
Hard to know for sure. If you already have a system in place that checks whether a user can view certain content, then it very well may be redundant.December 2, 2018 at 9:59 am #746153Jaakko Pöntinen
Thanks 🙂 I’ll think about this some more.
All the best!
– JPDecember 2, 2018 at 5:48 pm #746367TomLead DeveloperLead Developer
No problem! 🙂
- You must be logged in to reply to this topic.