I've got two events in my plugin. One is run for the front-end. The other is run for the admin panel. Both call the same function in one particular situation, and this echoes stuff to the screen. How do I make it such that the function is smart, calls something in WordPress, and detects whether it's being loaded in the front-end versus the admin panel? I don't want it to echo stuff to the screen on the front-end, but do want it to do so on the admin panel. Right now, it's echoing on both, which is not what I want.
Background
For the front end (the side of the site that the visitor sees), I'm intercepting the 'wp' event and checking for:
( is_single() || is_page() || is_home() || is_archive() || is_category() || is_tag())
For the admin panel, I'm intercepting the 'admin_menu' event. I tried intercepting the is_*() stuff above, but it seems to somehow answer TRUE or something, not giving me a difference between front-end and admin panel.
Use is_admin() to detect when the Dashboard or the administration panels are being displayed.
More conditional tags documented here: http://codex.wordpress.org/Conditional_Tags
is_admin() appears to return true, if you are logged in as administrator but are accessing a front-end page of the blog. I'm also trying to have my plugin detect if an admin page is displayed or not, and is_admin() is failing to behave as expected, evidently because I'm simultaneously logged in as administrator.
Related
We have integrated invisible recaptcha in one of our websites. Whenever we submit the form it automatically submits.
I read in some google groups that we would get a challenge when accessed on edge browser. But for us, it is automatically submitted.
Any specific steps to test the invisible recaptcha?
You can test invisible recaptcha by using Chrome emulator.
You will need to add a new custom device (BOT) in developer tools, and set User Agent String to Googlebot/2.1 on Desktop. Then use the new BOT device when testing on your site to trigger the recaptcha authentication.
Note: ReCaptcha v3 will still let the google bot pass as it has a score of 0.9 when emulating in Chrome.
V2 INVISIBLE
In this case just use Incognito or Private browsing to see it works.
Here is the testing link where ReCaptcha is working:
https://www.google.com/recaptcha/api2/demo?invisible=true
Please give the credits to the guys in comments below.
I found an excellent answer that works as of 2018-08-27.
In Chrome, hit F12 to open the Developer Console. Next, toggle the Device Toolbar, select a device and click Edit... Now, add a new device with the following configuration:
Once you hit save and use the new device, the ReCaptcha should open a modal requiring the user to match images.
Credit: This answer was originally posted on https://www.tectite.com/fmhowto/test-invisible-recaptcha.php?WWWTECTITE=p32j2na5otc4rmtbmfsmf9rci6
May 2021
Everyone was talking about using the demo page to test it out. What we get after we tested and how it should looks like is what everyone miss out. Or probably thats why most of us are still searching for the answer.
Even though this question is 3yrs old, still its not clear how this recaptcha works. Iam trying my best to break in steps. Let me know if its works for you.
Google Demo page test
Important
Follow the steps below in the Incognito window
with the parameter
Go to this url https://www.google.com/recaptcha/api2/demo?invisible=true (notice the url has ?invisible=true parameter at the end)
You should see nothing but an pre-filled form with an active 'submit' button with no 'checkbox' captcha, instead you will see the badge at the bottom right.
Click the 'Submit' button and you should see something like this. This is the verification check point.
4. Select the relevant image and the page should redirect with the message saying
Verification Success... Hooray!
But what if you didn't see any image?
If you are not seeing any verification image and the form submits with
Verification Success... Hooray!
then either the form is not working (mostly that's not the case) or you need to clear your browser cache and try again.
without the parameter
Go to this url, https://www.google.com/recaptcha/api2/demo (notice, i have removed the ?invisible=true parameter from the url)
You should see the good 'ol robot checkbox captcha above the 'Submit' button.
3. Also you can notice there won't be captcha badge at the bottom right.
Your Website
Try it in the Incognito window
Just like the demo you should get the same result in your website if you use invisible captcha. (Don't worry about the url parameters)
If your page displayed the captcha badge at the bottom right then after clicking the 'submit' button you should see the popup image window.
If you do not get any popup and the form submits then there's an issue with your captcha or could be browser cache.
Not seeing the checkbox ... ?
Here are some notes from reCaptcha help page - https://support.google.com/recaptcha#6223828
If you're seeing this reCAPTCHA challenge, your browser environment doesn't support the reCAPTCHA checkbox widget.
There are a few steps you can take to improve your experience:
Make sure your browser is fully updated (see minimum browser requirements)
Check that JavaScript is enabled in your browser
Try disabling plugins that might conflict with reCAPTCHA
Please note that some sites may have incorrectly integrated with reCAPTCHA - in this case please contact the site's webmaster.
WordPress Contact Form 7 users
You do not need to add the [recaptcha] tag.
reCAPTCHA v3 doesn’t need a CAPTCHA widget (the “I’m not a robot” checkbox used in reCAPTCHA v2) to work, so [recaptcha] form-tags are no longer necessary. If [recaptcha] form-tags are found in a form template, Contact Form 7 5.1 or higher ignores them and replaces them with an empty string.
https://contactform7.com/recaptcha/
As of 2019-06-21, it appears that it is sufficient with Google Chrome (v74.0.3729.169) to bring up a new incognito window to force the recaptcha to execute. (I had needed this for our own recaptcha testing, so I'm glad I found it.)
I am still struggling a little bit with this but I found that the following things make invisible recaptcha puzzle more likely to appear:
Log into the recaptcha admin and set it to maximum security
Open your site from an incognito tab.
Sometimes leaving the login page open and trying to login after some time has passed seems to trigger the recaptcha puzzle.
I must admit though that these don't work all of the times and there are times that I really struggle to get it to work.
Update: It seems a bit strange but I have found that the invisible ReCaptcha is more likely to appear when I submit a form using the Enter key instead of pressing a button with the mouse.
Invisible recaptcha check fails if you try to access your page via automated tests (in my case chrome browser) since chrome has a feature to recognize if the browsers is controlled by such software... so try to create easy tests in Python or Java(+webdriver), to see if recaptcha is implemented correctly.
If you did not implement the code yourself, the first thing to check is the source code, see if reCaptcha is actually loaded. When using a CMS, I search for this line (or similar):
script type='text/javascript' async defer src='https://www.google.com/recaptcha/api.js?onload=renderInvisibleReCaptcha&render=explicit&hl=de-CH'
If you have the luxury of a VPN, switch to a bad rep IP or country or an IP commonly used for P2P. This works for me most of the time.
Go thru the steps to test the re-captcha with dev tools open. Go to the network tab and find the POST where the form is submitted. Right click that line and copy as cURL.
Paste into the CLI and voila, you get the failure and the output of the cURL is the HTML that the server sent back.
2022 Answer that worked for me!
Please do give this one a go as it's the only one that actually worked for me after hours of testing.
Go to your reCAPTCHA admin account: https://www.google.com/recaptcha/admin/
Go to your site settings
Move the "Security Preference" slider all the way to the right to make reCAPTCHA trigger more often
Open an Incognito window, or even better a secure web browser with a built in encrypted proxy (I think this makes reCAPTCHA more suspicious of your browser) - I used a browser call Epic Browser, which is also Chromium based: https://www.epicbrowser.com/. Note: Just using Incognito on Chrome did not work for me, hence why I went to go use Epic.
Attempt to submit your form - you should hopefully receive the popup check!
As others mentioned you can also test if the browser alone triggers reCAPTCHA check by going to https://www.google.com/recaptcha/api2/demo?invisible=true and submitting the form.
This finally helped me as I was going crazy thinking my reCAPTCHA setup was not working and that I coded something wrong... But no, it was working! Just not very suspicious apparently.
I hope this helps someone as it did me!
The way I tackled it:
Go to your POST to google.com/recaptcha/api/siteverify
Before the response is returned, set the success property in the response to false.
I'm using Guzzle in Laravel (thanks to this example):
$response = $client->post('https://www.google.com/recaptcha/api/siteverify', [
'query' => [
'secret' => env('RECAPTCHA_V3_SECRET_KEY'),
'response' => $value,
'remoteip' => $_SERVER['REMOTE_ADDR'],
]
]);
$body = $response->getBody();
$contents = json_decode($body->getContents());
$contents->success = false;
return $contents;
I am writing a simple web page, which shows some widgets based on user permission. If user has EDIT permission, the page renders EDIT widget else EDIT widget doesn't shows up.
What is the best way to achieve this?
I, first called a service to get logged in user's permission and then set visibility: none or block based on the permission. But, I see that user can "inspect element" on browser and set visibility accordingly. However, on server-side, I am using #PreAuthorize annotation on DAO to control the user actions.
How to control visibility of UI widgets without user being able to make changes, maybe from server side?
Update : I am looking for JSTL equivalent in GWT
AFAIK there is no JSTL equivalent for GWT.
However there are some 3rd party (i.e. ArcIS) libraries that make display/hiding UI elements based on user permissions more convenient.
However no matter whether you do it manually or using a library you should make sure that you properly secure your backend side (as far as I can tell you are doing that by using method level security).
One important thing to remember when dealing with client side permissions/security:
You should never trust input/actions from the client/browser, because you are not in control of it. So you must always do security on the backend
In my opinion, it really does not matter if the user could theoratically inspect the edit button for example using Browser Dev Tools and make it visible, as long as the the edit action on the backend is properly secured. If you are really that concerned you can remove the elements (i.e edit button) from the DOM instead of hiding it, but it won't make it more secure.
I, first called a service to get logged in user's permission and then
set visibility: none or block based on the permission.
Well instead of setting the visibility none or block, assuming you are using JSP, use JSTL tag
<c:if test="${if the user has permission}">Show widget UI code</c:if>
If the page has n widgets for which the user doesn't has permission, why would you load the code for all the n widgets. It's non performant.
write a panel that shows it's contents based on security settings in the client code
add the widgets to be controlled inside the security panel
the panel will now control the appearance of the children based on security in your client code
As has been mentioned before, and has been recognized by you, client security is only visibility control and thus not sufficient to protect the app.
Here is my Gwt App, I have many pages: CustomerPage, OrderPage,... Each of these pages will have a header that have a Login Panel on top & its own content in the middle like this:
1- Customer Page
____________UserName...... Password....... Login
Customer Content here.....
2- Order Page
____________UserName...... Password....... Login
Order Content here.....
This means user can sign in in any page, they don't need to go to homepage to sign in.
Then here is my question, When user is in a certain page (ex: CustomerPage) & if they Log out then:
1- Should I refresh the whole page or redirect users to a Logout Page, so if they want to reopen the CustomerPage, then the page will have to go through all the Initializing processes (onBind-onReveal-onReset...)
2- Should I just let user stay where they are, and when user clicks logout button then system will reset variables. By doing that, then if user logs back in, the page will run faster cos it doesn't have to go through all the (onBind-onReveal-onReset...). However, if i do that then it quite difficult for me to reset all the variables. I have to remember which variables already initialed at the time the page got loggined & try to reset it to null or empty string. If i miss resetting just 1 variable then i will have trouble.
Some big site like Google or Facebook are using the solution 1, ie when user signs out it will redirect to new page or go back to homepage.
Also If adopting the solution 1, then i just need to call Window.Location.reload(); & it will reset everything. Even user clicks Back Arrow, they won't be able to see the old data since everything was reset.
So:
Is it Good Practice to redirect to a new Page or staying at the same page When user logged out (GWT)?
When users click on a Logout button, they expect that they can walk away from a computer. If you continue to show the same page, someone else might gain access to the data.
The universally accepted approach is to hide all data (i.e. redirect to the login/home page or close the app completely) when a user logs out. That's what users expect, and this is what you must do.
It depends what you've got loaded into the browser. Log in/out via a page refresh will be slower and present lag to your user. If you properly cleanup after yourself on logout (delete server side session, unbind presenters, clear caches) then it is really optional to refresh the page.
The universally accepted approach is to hide all data (i.e. redirect
to the login/home page or close the app completely) when a user logs
out. That's what users expect, and this is what you must do.
If your session management server side prevents any RPC's once you've logged out, and you no longer present/cache data, this is not an absolute necessity. Use digression based on your app needs, size, load time, and the sensitivity of the data it conveys.
For an app I'm, building I need to be able to determine a Facebook user's relation to the page of which the app is being shown within. I hope to provide the following functionality:
1) If the user likes the page, direct them to another page
2) If the user doesn't like a page, direct them to another page
3) If the user is an admin of the current page, direct them to another page
The Auth Hash schema (https://github.com/intridea/omniauth/wiki/Auth-Hash-Schema) doesn't provide info of how to access user likes, or indicate a way whether they: a) Like or don't like the current page, or B) are an admin of the current page.
Furthermore I've researched around the internet but cannot find any specific Ruby or Sinatra example of how to do this. The closest that I've come to is (https://github.com/chrissloan/sinatra-book/blob/master/app.rb), however this users FBGraph (I'm using Omniauth-Facebook) and this script doesn't make any distinction between admin users of the page.
Therefore I'm wondering if my method of distinguishing between users on the page tab is inherently wrong and am wondering if there is another process of achieving the desired goals.
So in summary, I'm attempting to create:
A backend that is accessible by the app admin. When an app admin goes on the page, the admin panel is displayed.
A front end that displays whether the user has liked the page or not, and shows them specific content based upon this state - a 'like-gate'.
Thanks for reading and if you could help it would be very much appreciated.
Some code I've thought up, but from the docs I'm unsure of whether it is valid syntax or not. From begin is the experimental piece, the code above works and is currently being used.
get '/auth/:provider/callback' do
content_type 'application/json'
JSON.generate(request.env)
auth = request.env["omniauth.auth"]
puts auth
=begin
if auth['page']['admin'] == true ***not sure if admin is valid syntax***
#check user database and move to admin side
else if auth['page']['liked'] == true
#allow to download endpoint
else
auth['page']['liked'] = false
#direct to wall to like
end
I solved this by authorising with OmniAuth and then getting the signed_request generate from Facebook when the user opens the app on a Facebook page.
I see where this method is being used, but I'm wondering who has an authoritative answer on the matter?
I know you said you know where, but I'm going to mention it here for completeness since you didn't... hope you don't mind! :)
The flag that isFirstPageAfterLogin() checks is set in the login() method that's called during the admin login process.
It is used in the following places:
Mage_Adminhtml_IndexController to store the value in the admin session so that it's still available on the first page load after the login form is submitted.
Mage_Adminhtml_Block_Notification_Window to determine whether or not to show the notices "window" that often shows after login.
A few actions on Mage_Adminhtml_Report_StatisticsController in order to redirect the user to the page they should be if their login routes them to one of the report refresh actions.
Mage_Core_Controller_Front_Action uses it to redirect a user back to the dashboard if their login routes them to an action that would send a download response, which frequently can rely on filter data that may or may not be available to the controller if it come from the login.
So to recap, it's a very important flag that is used to control some behind the scenes behavior. The most important being redirecting to the correct login page and allowing for one-time notices to show upon login.
This value is used in Mage_Adminhtml_IndexController, specifically the indexAction(), and redirects the admin user to the start up page defined in System > Configuration > Advanced > Admin > Startup Page.