[wp-hackers] Delete Row - Refreshes Page but not DB

Nikola Nikolov nikolov.tmw at gmail.com
Sat Oct 19 20:54:19 UTC 2013 

What do you mean by "ajax is not supported unless I register people as
admins"?

Does the AJAX never occur, or does the AJAX not trigger the deletion of the
rows?

If the AJAX doesn't occur - then you should look at the code that prints
the AJAX itself - you probably have some sort of a check there that decides
whether to print out the JS or not.

If the deletion of the rows doesn't happen, then it's the code that deletes
the rows that doesn't work.

Also - if you're going to let all kind of users delete data, you should
make sure that they actually have the right to delete that data or not(for
instance check if "is_super_admin()" and if that's true - allow them to
delete without further checks - if it's false, check if the record they're
trying to delete actually belongs to them).


On Sat, Oct 19, 2013 at 11:37 PM, Gregory Lancaster <
greglancaster71 at gmail.com> wrote:

> Well it finally all works... and then I tested the user accounts and ajax
> is not supported unless I register people as admins.   I know I can add a
> user role, but is it possible to give them the ability to use ajax?
>
>
> On Sat, Oct 19, 2013 at 11:32 AM, Gregory Lancaster <
> greglancaster71 at gmail.com> wrote:
>
> > like this?
> >
> > *jQuery( document ).ready( function( $ ) { *
> > *        *
> > *        // When a button is clicked within the table with id="mytable" *
> > *        $( '#mytable button' ).click( function( event ) { *
> > * *
> > *                event.preventDefault(); *
> > *
> > *
> > *                if ( ! confirm( 'Are you sure you want to continue' ) )
> *
> > *                        return; *
> > *
> > *
> > * var $button = $(this);*
> > * var nonce = $( this ).attr('data-nonce');*
> > *                **                **var rowID = $( this ).attr('value');
> > *
> > * var file = $( this ).attr('file'); *
> > * *
> > * $button.closest("tr").css('background-color', '#C60').fadeIn();*
> > * *
> > *
> > *
> > *                var data = { *
> > *                        'action': 'my_delete_row_action', *
> > *                        'id': rowID,*
> > * 'file': file*
> > *                } *
> > *
> > *
> > *                $.post( *
> > *                        ajaxurl, *
> > *                        data,*
> > *                        function ( response ) { *
> > *                                if ( ! response.success ) { *
> > *
> > *
> > *                                        alert( 'Failure!' ); *
> > *                                } *
> > *                                        *
> > * $button.closest("tr").hide();*
> > *                                *
> > *                        } *
> > *                ); *
> > *        }); *
> > *}); *
> > *
> > *
> > *
> > *
> > *
> > *
> > and my remove_row function would function like this?
> >
> > *function my_delete_row_action() {*
> > * global $wpdb;*
> > *
> > *
> > * if ( ! wp_verify_nonce( $_POST['nonce'], 'delete_' . $id . '_' . $file
> > ) ) {*
> > *    exit( 'Cheatin, huh?' );*
> > *}*
> > *
> > *
> > * $id = $_POST['id'];*
> > * $file = $_POST['file'];*
> >
> > seems to fail regardless if I change an item or not.
> >
> >
> > On Sat, Oct 19, 2013 at 11:16 AM, Nikola Nikolov <nikolov.tmw at gmail.com
> >wrote:
> >
> >> So something like this is what you should use instead:
> >>
> >> <button type="submit" name="deleteItem" value="<?php echo $row['id'];
> ?>"
> >> file="<?php echo $row['file']; ?>" data-nonce="<?php echo
> wp_create_nonce(
> >> 'delete_' . $row['id'] . '_' . $row['file'] ); ?>"
> >> class="delete-box"><span
> >> class="glyphicon glyphicon-remove"></span></button>
> >>
> >> You would have to add the value of the data-nonce attribute to your AJAX
> >> request(in the below example it's value is set to the 'nonce' parameter)
> >> and then on the PHP side of the request, you should do this:
> >>
> >> if ( ! wp_verify_nonce( $_POST['nonce'], 'delete_' . $id . '_' . $file )
> >> ) {
> >>     exit( 'Cheatin, huh?' );
> >> }
> >>
> >> This way if someone changes the value of the file OR "value" attributes,
> >> they won't be able to delete the item they were trying to delete.
> >>
> >>
> >> On Sat, Oct 19, 2013 at 8:56 PM, J.D. Grimes <jdg at codesymphony.co>
> wrote:
> >>
> >> > Yes, you should be using nonces -
> >> > http://codex.wordpress.org/WordPress_Nonces
> >> >
> >> > On Oct 19, 2013, at 1:53 PM, Gregory Lancaster <
> >> greglancaster71 at gmail.com>
> >> > wrote:
> >> >
> >> > > Yep, I had to add true.  So all this is executing based on the
> values
> >> of
> >> > > this button:
> >> > > <button type="submit" name="deleteItem" value="<?php echo
> $row['id'];
> >> ?>"
> >> > > file="<?php echo $row['file']; ?>" class="delete-box"><span
> >> > > class="glyphicon glyphicon-remove"></span></button>
> >> > >
> >> > > But couldnt someone just change the values of the fileid or rowid
> and
> >> > > delete other peoples content?
> >> > >
> >> > >
> >> > > On Sat, Oct 19, 2013 at 10:40 AM, J.D. Grimes <jdg at codesymphony.co>
> >> > wrote:
> >> > >
> >> > >> Hey man, that's tough. I'm glad you've got the code working though.
> >> > >>
> >> > >>> I finally got JDs code working but I have to place this in my
> >> functions
> >> > >> for
> >> > >>> ajax to work:
> >> > >>>
> >> > >>> add_action('wp_head','custom_head');
> >> > >>>
> >> > >>> function custom_head()
> >> > >>> {
> >> > >>>      echo '';
> >> > >>> }
> >> > >>>
> >> > >>>
> >> > >>> Is that alright?  Otherwise I get ajaxurl undefined error.
> >> > >>
> >> > >> I'm not sure why this would have an effect… If you are using the
> >> code on
> >> > >> the front end of your site, ajaxurl won't be defined - it is only
> >> > defined
> >> > >> by default in the administration panels. You would need to use
> >> > >> wp_localize_script().
> >> > >>
> >> > >>> Additionally, the json response works too! However one query
> always
> >> > >> fails.
> >> > >>>
> >> > >>> $file = $_POST['file'];
> >> > >>> $del_image = wp_delete_attachment( $row['file'] ); - fail
> >> > >>>
> >> > >>> I also tried this as an sql query:
> >> > >>>
> >> > >>> $file = $_POST['file'];
> >> > >>> $fileQry = $wpdb->prepare("DELETE FROM wp_posts WHERE id = %s",
> >> $file);
> >> > >>> $go_fileQry = $wpdb->query($fileQry);
> >> > >>>
> >> > >>> It still fails.  It IS possible to run multiple queries this way
> >> right?
> >> > >>
> >> > >> Is it completely failing? The wp_delete_attachment() call will only
> >> move
> >> > >> the attachment to the trash by default -if you want to delete it
> >> > >> permanently you need to set the second parameter to true.
> >> > >>
> >> > >> -J.D.
> >> > >> _______________________________________________
> >> > >> wp-hackers mailing list
> >> > >> wp-hackers at lists.automattic.com
> >> > >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >> > >>
> >> > > _______________________________________________
> >> > > wp-hackers mailing list
> >> > > wp-hackers at lists.automattic.com
> >> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >> >
> >> > _______________________________________________
> >> > wp-hackers mailing list
> >> > wp-hackers at lists.automattic.com
> >> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >> >
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> >
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list