2718.us blog » integration

WordPress 2.6 + bbPress 0.9.0.2

2718.us — Sat, 16 Aug 2008 23:48:33 +0000

In case anyone was still curious following my previous headache post, it is possible to integrate WP2.6 and bbPress 0.9.0.2. I say “possible” because while I’ve got it working as far as I can tell (without having modified core code in either WP or bbP), I haven’t really tested it and it’s a mess. More or less, a specially-crafted plugin for WP plus a specially-crafted plugin for bbP got me nearly there. The one hangup was the login cookie (the new one that is at the root of the site), which while my bbPress plugin seemed to be duplicating it, WP didn’t want to recognize it (I couldn’t find any difference between the cookie set by my bbP plugin and the one set by WP, but WP didn’t like mine anyway). I got around this by bypassing the bbP login mechanism entirely and using the WP login with a redirect back to bbPress.

Of course, it’s also annoying that while there’s a set_auth_cookie action hook, there’s no clear_auth_cookie, so my plugins had to override the clear_auth_cookie function wholesale rather than hooking into it as they do with set_auth_cookie.

If you have some twisted desire to make this unholy integration that I now seem to have working and would like some of my code, leave me a comment.

WordPress 2.6 is Giving Me a Headache

2718.us — Mon, 04 Aug 2008 03:30:08 +0000

Now, I’m really big on *not* complaining about new versions of things and I especially dislike the practice of complaining about how a new version of WordPress broke some plugin that is of dire importance to someone’s website, but WordPress 2.6 is starting to give me a headache. I’ve already posted thrice about issues with integrating an external site into WP2.6′s user authentication. Honestly, I consider that to be my own problem to solve and not WP’s fault, since I’m hooking into WP in a way that wasn’t intended, so I have no right to expect them to preserve my ability to (mis)use it.

However, I just came across this in the bbPress forums:

As of July 2008, do NOT try to integrate WordPress 2.6 with bbPress 0.9 Use WP 2.5.1 – the reason for this is simple – WordPress has radically changed the way cookies are used. If you have already installed WP 2.6, don’t worry you have not broken anything, you’ll just need to downgrade and install 2.5 instead. 2.5.1 is perfectly stable and has no known security issues – 2.6 only adds a few new features to WP. There is an updated version of bbPress in the works to support the new cookie method but it might be awhile before it’s available in a mainstream release.

Now, ostensibly, WP and bbPress are coming from the same people/place/company/organization/whatever, so I think I should be able to expect the one to work with the other and to *not* have the left hand tell me to ignore what the right hand is doing. This is almost enough (*almost*) to make me give up on trying to piece together a decent way to hook into the is_user_logged_in() thing for the non-WP part of the WP-based site I’m working on, since the bbPress part of the site won’t work even if I do fix the non-WP part of the site.

Hiding the WordPress Dashboard

2718.us — Thu, 10 Jul 2008 20:34:55 +0000

I use WordPress as the backbone of a site I run, including using it for user authentication. This means a lot of people who aren’t invovled in running the site are logging in and could see the dashboard. Now, it’s not that there’s anything really secret there, but it makes things look a lot less “finished” to have users deposited on a page that has no relevance to them. This is where the Hide Dashboard plugin from Patrick/DeepWave comes in. It does a nice job of getting users to their profile page and generally hiding most of the dashboard things that regular users don’t need to see.

I, however, wanted a little more. I wanted to make sure that regular users who might be, well, “curious” about the inner workings of the site and who have some knowledge of wp-admin URL structure to be unable to get at anything but their profile page. To this end, I added a little to the code:

// add after line 41, which reads: if(!current_user_can('level_10')){
if (strpos($_SERVER['REQUEST_URI'],'/wp-admin') !== FALSE
and strpos($_SERVER['REQUEST_URI'],'/wp-admin/profile.php') !== 0){
wp_safe_redirect('/wp-admin/profile.php');
}

This should redirect any non-admin user off of any /wp-admin* page to /wp-admin/profile.php. This might, however, cause issues for mid-level users (i.e. authors/editors/etc may not be able to access needed functions) and I haven’t tested it thoroughly and there might be a better way to do this. YMMV. See also some comment-discussion on these changes at the plugin’s own page: me Patrick me.

Another WordPress+bbPress Integration Gotcha

2718.us — Thu, 01 May 2008 21:37:29 +0000

Somehow (my best guess is it happened with the database update in the WP2.5.1 upgrade), the database secret, stored as “secret” and visible on /wp-admin/options.php, changed making the logins for bbPress and WordPress clobber each other (both apps using the same cookie, but each app rewriting the cookie with its own contents, rather than recognizing the other app’s contents). If you’re having trouble with WordPress 2.5.1 + bbPress 0.9.0.2, especially if you’ve already watched the cookies go by and are sure that both apps are using the same cookie, check your secret (in bbPress, it’s in Admin > Settings > WP Integration).

The SECRET_KEY in WordPress

2718.us — Thu, 24 Apr 2008 22:20:59 +0000

I’ve gotten into the habit of actually reading the various blogs to which there are links on my WordPress dashboard and I saw this today from boren.nu:

To make cookies secure against attacks where someone has managed to get into your database through an SQL injection exploit or other means, WordPress 2.5 introduced a user-definable constant called SECRET_KEY. If you look at the sample wp-config.php shipped with 2.5, you’ll see these lines.

// Change SECRET_KEY to a unique phrase. You won’t have to remember it later,
// so make it long and complicated. You can visit https://www.grc.com/passwords
.htm
// to get a phrase generated for you, or just make something up.
define(’SECRET_KEY’, ‘put your unique phrase here’); // Change this to a unique phrase

If you upgraded from a previous version of WordPress you probably won’t have these lines in your wp-config.php.

That last bit is, of course, the critical thing for me and had me going back and inserting SECRET_KEYs into all my older/upgraded WordPress installs. Just remember that if you’re integrating with bbPress, you have to match the SECRET_KEYs in wp-config.php and bb-config.php.

WordPress Authentication Gotcha: bbPress Integration

2718.us — Mon, 21 Apr 2008 04:42:51 +0000

I not only wanted to integrate my own other things into my WordPress-based site, but I wanted forums, too, so of course I thought of bbPress. It seems to integrate well with WordPress, but then suddenly strange things started happening with login and logout. For instance, when I logged in with bbPress, I couldn’t get WordPress to log me out and my integrated site didn’t work.

Ah-ha! A cookie problem–while I’d set the cookie domain for WordPress to allow subdomains to work, bbPress didn’t know about WordPress’s cookie settings, so bbPress didn’t set the right cookie domain. Worse, this meant that the cookie didn’t quite match up to what WordPress expected, so logging out in WordPress tried to blank a cookie that wasn’t set, not the login cookie set by bbPress. The fix is to add something like

$bb->cookiedomain = '.yoursite.com';

to bb-config.php (that is, match what you’ve set in WordPress). Not the most obvious way to set an option, but it works.