使用Word preSS认证，同时检查是用户是管理员 [英] Using wordpress authentication while checking is user is an administrator

问题描述

我想用一句话preSS认证为管理网站我使用PHP创建。我只希望用户角色管理员能够登录到这个网站。这是我有：

I am trying to use wordpress authentication for an admin site I am creating using PHP. I only want users with the role Administrator to be able to login to this site. This is what I have:

if ( in_array( 'administrator', (array) $user->roles ) ) {
    echo "<script type='text/javascript'>alert('User is an admin!')</script>";
    if( !wp_authenticate($user, $pass) ){
        echo "<script type='text/javascript'>alert('Wrong password!')</script>";
    }elseif(!wp_authenticate($user, $pass) ){
        echo "<script type='text/javascript'>alert('Correct password!')</script>";
    }
}else{
    echo "<script type='text/javascript'>alert('You're not an admin!')</script>";
}

这就是我如何查询数据库来获取用户ID：

And this is how I query the db to get the user ID:

$link = mysqli_connect($host, $username,$password ,$db );
$q1 = " SELECT ID FROM wp_users WHERE 
    user_email=?";
$stmt = mysqli_prepare($link, $q1);
if($stmt){

        mysqli_stmt_bind_param($stmt, "s", $email);
        mysqli_stmt_execute($stmt);
        mysqli_stmt_bind_result($stmt, $id);
        mysqli_stmt_fetch($stmt);
        //echo $id;
        $user = get_userdata( $id );   

}

我得到的警报用户是管理员，然后它显示了一个空白页。我在做什么错了？

I get the alert "User is an admin" and then it shows a blank page. What am I doing wrong?

推荐答案

首先：这个问题涉及到<一个href=\"http://stackoverflow.com/questions/36785381/check-if-user-is-an-admin-by-username-or-email-only/36785999?noredirect=1#comment61276507_36785999\">Check如果用户是用户名或电子邮件管理员只

First: This question is related to Check if user is an admin by username or email only

第二：你的第一个块中的逻辑很奇怪......这是什么东西应该类似于

Second: the logic in your first block is very strange... this is what is should resemble

您应该总是使用内置的Word preSS登录表单和认证工作流程。这并不是说很难使用和滚动自己的登录页面，使您的应用程序的很没有安全感，除非你做的完全正确

You should always use the built in WordPress login form and authentication workflow. It is not that hard to use and rolling your own login page makes your application very insecure unless you do it exactly right

要使用默认的Word preSS登录流程，把这样的事情在你的仪表板的普通PHP文件

To use the default WordPress login flow, put something like this in your Dashboard's common PHP file

<?php 
require_once 'path/to/wp-load.php';
// Before every page load
if ( ! is_user_logged_in() ) {
    // Not logged in at all... redirect to WP Login Page
    auth_redirect();
    exit(); // Exit to be safe
} elseif ( ! in_array( 'administrator', wp_get_current_user()->roles ) ) {
    wp_logout(); // Destroy their login session
    wp_die('You must be an administrator'); // Die with a nice error page
}

让我来解释一下这个工作流程：

Let me explain this workflow:

首先，我们导入 WP-load.php 。这是在同时有些皱起了眉头，有可能是这样做的更轻的方式，但现在它应该工作以及

First we import wp-load.php. This is somewhat frowned upon as well and there might be a lighter way of doing this, but for now it should work well

现在，说用户负载 https://example.com/my-admin/index。 PHP ，你的的common.php 将首先检查用户是否登录。如果不会，然后它会调用 auth_redirect（）和退出，这将用户重定向到的https://example.com/wp-login.php?return_url=https%3A%2F%2Fexample.com%2Fmy-admin%2Findex.php

Now, say a user loads https://example.com/my-admin/index.php, your common.php will first check if the user is logged in. If not then it will call auth_redirect() and exit which will redirect the user to https://example.com/wp-login.php?return_url=https%3A%2F%2Fexample.com%2Fmy-admin%2Findex.php

用户将登录使用WP-登录页面，那么他们将被重定向到的https： //example.com/my-admin/index.php ，你的的common.php 现在认识到 is_logged_in（）作为真正的......所以我们进入下一ELSEIF在那里，如果用户是管理员将检查。如果没有，那么它会杀死他们的认证会话和失败，并wp_die我们杀AUTH会话，这样，如果他们刷新他们将被带回登录页面输入凭据的管理员，而不是反复证明了<$ C $页面C> wp_die 页，你可以调整这个但是你想，因为这可能不是期望的行为（或许重定向到/可湿性粉剂管理员/ ...或经常提供的wp_die链接/可湿性粉剂管理员/）

The user will login using the wp-login page and then they will be redirected back to https://example.com/my-admin/index.php, where your common.php will now recognize is_logged_in() as true... so we step to the next elseif where it will check if the user is an administrator. If not then it will kill their authentication session and fail with a wp_die We kill the auth session so that if they reload the page they will be brought back to the login page to enter credentials for an admin and not repeatedly shown the wp_die page, you can tweak this however you wish as this might not be the desired behavior (perhaps redirect to /wp-admin/... or provide a link in the wp_die for the regular /wp-admin/)

如果他们有管理员角色，那么请求将继续执行和仪表板将成为访问的。

if they do have the Administrator role, then execution of the request will continue and the dashboard will be accessible.

请注意，这个工作你需要对同一个域中的Word preSS运行的仪表板安装...否则饼干将不会转移。

Please note that for this to work you will need to have your dashboard running on the same domain as your WordPress install... or else the cookies won't transfer over.

这是很难做到的......这个例子不包括随机数，蜜罐，或任何其他安全功能，你将与标准的登录表单获得（或者使用默认核心或额外的插件）

It is hard to do... this example doesn't include Nonces, honeypots, or any other security features that you will get with the standard login form (either with default core or from additional plugins)

<?php 
// Your login.php page

// Really, no really, this should just be done with WordPress's default login page with an auth_redirect()
// Really this is not recommended, it's really bad practice, and much less secure
// You've been warned

// If they provided a username and password, then check them
if ( isset( $_POST['username'] ) && isset( $_POST['password'] ) ) {
  $username = $_POST['username']
  $username = $_POST['password']
  // Check the username and password with WordPress to see if they are for any user
  $user = wp_authenticate( $username, $password );
  $error = '';
  if ( is_a( $user, 'WP_User' ) ) {
      // Verify that the user is an admin
      if ( in_array( 'administrator', (array) $user->roles ) ) {
          // Redirect them to the dashboard
          wp_redirect('dashboard.php');
          exit();
      } else {
          $error = "Correct password, but not an Admin : (";
      }
  } else {
      $error = "Wrong password :(";
  }
}
// The Login Page
?>
<html>
<head>
  <title> My Login </title>
</head>
<body>
  <form action="login.php" method="POST">
    <?php if ( $error ): ?>
       <div class="error"><?php echo $error; ?></div>
    <?php endif; ?>
    <label>
    Username:
      <input type="text" name="username" placeholder="username" required />
    </label>
    <label>
    Password:
      <input type="password" name="password" placeholder="password" required />
    </label>
  </form>
</body>
</html>

您加载任何其他页面之前，除了你的登录页面，你应该有这个code

Before you load any other page besides your login page you should have this code

<?php
if ( ! is_user_logged_in() || ! in_array( 'administrator', wp_get_current_user()->roles ) ) {
    wp_redirect('login.php?error=Please%20Login');
    exit();
}
// now you can do your stuff

这篇关于使用Word preSS认证，同时检查是用户是管理员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！