[wp-hackers] is there a way to make sure that a shortcode can be used only by certain userroles?

Nikola Nikolov nikolov.tmw at gmail.com
Tue Nov 12 21:42:19 UTC 2013


Since the regex that matches shortcodes is quite complex, I can suggest to
you the following VERY ugly hack :)

function filter_out_protected_shortcode( $content ) {
// Check to see if the current user can or can't do a specific task
// it would probably be different in your case
if ( ! current_user_can( 'edit_others_posts' ) ) {
global $shortcode_tags;
// Back-up the currently registered shortcodes
$_sc_tags = $shortcode_tags;

// Change the shortcode's handler to return an empty string instead of the
actual content
$shortcode_tags = array( 'xyx' => '__return_empty_string' );

// Now, since we overrided the $shortcode_tags variable
// Only the [xyx] shortcode will be parsed - and it will be replaced
// with an empty string :)
$content = do_shortcode( $content );

// Restore the original shortcode handlers
$shortcode_tags = $_sc_tags;
}

return $content;
}
add_filter( 'content_save_pre', 'filter_out_protected_shortcode', 10 );

So what happens here is that we hook to the "content_save_pre" filter as
Jesse suggested.
We then check if the user can use that shortcode. If they can't, we
override the global $shortcode_tags variable to only contain our shortcode
with a callback "__return_empty_string" - which as the name suggests
returns an empty string.
After that, we parse the content and if the shortcode was found there - it
will be replaced with an empty string.

This is not a perfect solution, since if the shortcode was surrounded by
two empty lines(one before and one after), you would get three empty lines.

I haven't tested that code, but it should in theory work.

Also - the chances are that no shortcodes would be parsed for that
request(since that's a request for updating/saving a post) and you can skip
the copying/restoring of the $shortcode_tags variable, but I always prefer
to put things back together the way I found them, than to leave them
messy(debugging something like that is a pain).

Well, that's about it - it's an UGLY hack, but I believe that the core
handling of the shortcodes is better than anything that I would come-up
regex-wise(and I'm generally somewhat decent in writing those).


On Tue, Nov 12, 2013 at 10:08 PM, Jesse Friedman <
highfive at jesserfriedman.com> wrote:

> You could filter the content when the post is saved and if the user doesn't
> have the right permissions, then I strip the shortcode or present a
> warning.
>
> you could try using
> http://codex.wordpress.org/Plugin_API/Filter_Reference/content_save_pre,
> then maybe some regex to find the shortcode and strip it out
>
>
> On Tue, Nov 12, 2013 at 2:57 PM, Haluk Karamete <halukkaramete at gmail.com
> >wrote:
>
> > What I mean by that is that is this...
> >
> > let's say there is an admin-editors-only shortcode. let's call it "xyx"
> > shortcode for the sake of an example.
> >
> > is it possible to have a contributor or author to not to be able to use
> > that shortcode? they all get stopped with a warning that the post cannot
> be
> > saved (or created)  because it contains the "xyx" shortcode!
> >
> > to cover all the possibilities (such as posting thru email, or thru some
> > other esoteric ways) , what is the best hook(s) that I need to watch out
> so
> > that there are no loop holes left...
> >
> > I hope it was clear and did not confuse you...
> > thank you
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
> >
>
>
>
> --
> thanks
>
> *jesse friedman*
> jes.se.com
> Book: Web Designers Guide to WordPress -
> http://wdgwp.com/onamazon<http://wdgwp.com/onamazon>
> Twitter: @professor <http://twitter.com/professor>
> Facebook: Like<
> https://www.facebook.com/pages/Jesse-Friedman/204793299545174>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list