How to Create a Strong Verification for your Maintainable WP Meta boxes?

In order to give strength to its hook system, WordPress leverages event-driven pattern for designs. Though, we know that the design patterns are certainly dependent on each other , thus it is highly unlikely to recognize a design pattern. This is what which makes WordPress flexible.

Apart from achieving exclusiveness, other thing which WordPress developers look for is to create a code which is easily maintainable. As with the advancement of technology and enhancement in the features the codebase of any web app tends to grow more complex. Thus, with passing time it becomes difficult to preserve the clarity and maintainability of the code.

This is equally applicable on WordPress, be it a plugin, an extension, themes or any other project type. The thing which is important is to write a maintainable code.

That's it!

No! certainly not!

This is where developers go wrong, as they make sure that they have followed all the steps to a write maintainable code. Let's for instance they apply meta box, apply options and also apply tabbed navigation in the WordPress dashboard, but they forget to check whether the code they have written works for real or not.

In this blog we will go to the server side in order to apply code which can verify that whether the user has the authority to save the meta data or not .

How to verify that the permissions are granted?

You need to incorporate a security check during the serialization process so as to check whether the user has the ability to save post meta data and to publish. To do this we can use nounce value so as to implement this. This is a number which is used once in order to protect URLs from the scope malicious users.

1. How to add a Nounce?

To add a nounce in the meta boxes, you need to implement the functionality in the markup which will render the post template. For this you need to load admin/views/authors-quick-tab.php and then after you need to update the template so that it contains wp_nounce _field.

</h2>

<?php

// add tabbed content

include_once( 'tabs/tab1.php' );

include_once( 'tabs/tab2.php' );

include_once( 'tabs/tab3.php' );

// Add a nonce field

wp_nonce_field( 'authors_quick_tabs_save', 'authors_quick_tabs_nonce' );

</div>

The code written above has introduced a nonce which has the functionality for saving the authors quick tabs (which we've named authors_quick_tabs_nonce) . This was also linked with a value which is figured out by authors_quick_tabs. This won't load on the very first go when you will load your web app on browser, as these values are displayed in a hidden field.

Those people who are intrigued can launch a suitable bowser's development tool in order to check the meta box, and you would get something like this and of course with a different value of nonce.

2. Check the Nonce

To make sure that the permissions of saving the post assigned to the user is implemented properly or not, you need to check the following three things:

User must save the data on the 'post' post type
Users must actually have save permission
Post must be not automatically saved by WordPress

In order to incorporate the first two we can write a helper function and for checking the third one you can go for an intrinsic function. Primarily, you need to establish the hook as well as the functions that can make use of the helper functions and then you need to save your meta data. Now you need to add some piece of code in the Authors_Quick_Meta_Box which is given below.

<?php add_action( 'save_post', array( $this, 'save_post' ) ); ?>

The next step is to define the function. You can make use of the following code in which we have called two functions.

<?php

public function save_post( $post_id ) {

if ( ! $this->is_valid_fnc() || ! $this->user_save( $post_id, 'authors_quick_tabs_nonce', 'authors_quick_tabs_save' ) ) {

return;

}

In the given code, it is written to run the save_post function when we call a save_post action. The function is written to verify that the saved post is not of the 'post' post type, and if the user do not has the authority to save then function should exit.

Definition of the function is must so as to make the logic work. Then we need to write the is_valid_fnc function as this function checks the $_POST array to ensure that the saved post type is a 'post'.

<?php

private function is_valid_fnc() {

/**

* check valid post type or not

return ! empty( $_POST['post_type'] ) && 'post' == $_POST['post_type'];

}

After this we need to add the user_save function, to make sure that the whether the saved post is automatically due to the WordPress or not. Further , if the user is saving the function so there should be a proper nounce value for that particular post.

<?php

private function user_save( $post_id, $nonce_action, $nonce_id ) {

$is_var_save = wp_is_post_autosave( $post_id );

$is_var_revision = wp_is_post_revision( $post_id );

$is_var_valid_nonce = ( isset( $_POST[ $nonce_action ] ) && wp_verify_nonce( $_POST[ $nonce_action ], $nonce_id ) );

// Return true or false.

return ! ( $is_var_save || $is_var_revision ) && $is_var_valid_nonce;

}

Notice here that we're passing in the nonce_action and the nonce_id that we defined in the template in the very first step. We're also using wp_verify_nonce in conjunction with said information. This is how we can verify that the post that's being saved is done so by a user that has the proper access and permissions.

One thing you should note is that we are passing nonce_id and the nonce_action which were defined at the very beginning. Moreover, we will also use wp_verify_nonce conjunction in order to make sure that user who has proper authorities only can save the post.

Maintainable code is certainly an indispensable need of the modern development world. Thus, verifying it becomes a crucial task.

Feel free to share your queries!

WordPrax Ltd. - PSD To WordPress Development Company

Thursday, 17 September 2015

How to Create a Strong Verification for your Maintainable WP Meta boxes?

1 comment: