Develop Reference

Post data from non-admin user in WordPress

I'm speaking of "post" as in the html method, not a blog post. This overlap in terminology is probably a good part of the reason I can't find what I'm looking for.
I have some admin pages set up with forms, using add_action('admin_post_something', 'my_function'); to handle saving the form data to the database. That all works marvelously.
Now I have a client-side piece that requires the user to be logged in to post data, but not necessarily be an admin. The admin_post_something hook will not work (returns page not found) because the user is not an admin. This is expected behavior.
What hook action should I use to process and store information coming from the client-facing portion of my site, and where should this function be located? Examples or links to documentation are appreciated.
Thanks

Inside your function which processes the POST data, you could have a conditional check to see if the form has been submitted. For example:
if ( isset( $_POST['a-hidden-field-name-in-your-form'] ) ) {
// do something here because the form has been submitted
}

Is my approach of giving access to users correct?

I am applying spring security on my jsp page, I need to show different parts of the page to users with different roles all the roles are as following.
All authenticated users >> Edit and Add New
Admin > Delete and Edit and Add New
Anonymous > Add New
<sec:authorize
access="isAuthenticated()">
Code of add new and edit buttons
</sec:authorize>
<sec:authorize
access="hasAnyRole('ADMIN')">
Code to add new, edit and delete buttons
</sec:authorize>
<sec:authorize
access="isAnonymous()">
Code to add new
</sec:authorize>
I am wondering if there is any easier method, in this case, if I want to modify access of a specific role I have to change its access rules in security.xml file and every page that I have set the role access.
For example, lets say I want to unable Admin role to access delete button then I have to change the code of security.xml and all the JSP pages that admin role was authenticated to view delete button.
Is there any easier method to do it!?

There can be a solution by using rights set which can be contained in role object as a collection.
After this implementation you can check the right permission for showing buttons and if you want to change anything in your security architecture, you can easily manage this by granting or revoking the rights from related role.
An example of this can bee seen in the link below.
http://en.tekstenuitleg.net/blog/spring-security-with-roles-and-rights

I don't think there is a built in solution for this. You could set up a fine grained role system assinging like a edit role, a delete role and so on. Then you can assign these roles more freely.
If you want to keep it easy for the user (like still only showing admin and user role) you might have to mask the actual roles behind a mapping between the roles and the titles shown to users.
Another approach would be to set up global parameters for each action (edit, delet, etc.) in which you specify the roles that shall be allowed for the action. This way you wouldn't hardcode the roles into your application but map them through the global parameters.
Looking forward to see if someone else comes up with a better idea.
Edit to specify the approach of mapping by global parameters (refined the mapping would be stored in a db but that is getting from an ad hoc solution to implementing an ACL):
With global parameters I just meant something like a rightsMapping.properties. In this file you would map something like that:
right.edit=ROLE_USER, ROLE_ADMIN
right.edit=ROLE_ADMIN
etc...
After that you can just insert the rights into the jsf pages using something like this:
<f:loadBundle basename="rightsMapping" var="rights"/>
....
<f:CommandButton name="edit" .... rendered="hasRole(rights.edit)"/>
This is a pretty easy hands on solution which can be refined by using for example a mappings table in the DB, a Bean evaluating access rights, etc. But the basic idea of mapping the fine grained rights to the roles stays the same.

I suppose that you have the same rights for Edit buttons everywhere in your app. In this case you can extract autorization code into some custom tag (I recommend JSP tag files). For each edit button you will use your custom tag:
<customtags:hasEditPermission>
Edit button code goes here
<customtags:hasEditPermission>
All permissions will be declared once in your hasEditPermission.tag:
<%#tag description="Edit permission tag" pageEncoding="UTF-8"%>
<sec:authorize access="hasAnyRole('ADMIN')">
<jsp:doBody/>
</sec:authorize>
So in a case of new POWER_USER role you need to modify just one file:
<%#tag description="Edit permission tag" pageEncoding="UTF-8"%>
<sec:authorize access="hasAnyRole('ADMIN', 'POWER_USER')">
<jsp:doBody/>
</sec:authorize>
You can prepare and use tags for "Add new" and "Delete" buttons too. Hope this helps.

This is probably what you are looking for, with sample code
In your case, you would have BF_ADD_XXX, BF_EDIT_XXX and BF_DELETE_XXX etc.
This allows you to grant/revoke particular permissions (or BFs or business functions or whatever you want to call them) to/from particular roles.

User redirecting in struts2 with data not working

I am new to struts2. I am working on the struts2 with spring application.
I developed user registration functionality. In this registration process have the 3 steps(3forms). First page is step1 contains some fields, second page is step2 contain some other fields and step3 contains some other fields.I used session map in the action class to put the all field values of all forms.After submission form in step3 it goes to call rest service and give the response.If the response is OK then i am redirecting to success page step4. In some cases if user is already exits then it gives response existed user then am redirecting to step5 page. In this page i used one message " Sorry the user is already exists" and with one link "Home Page".
I used this link <s:a id="next" href="/sample/register/user.action"> Homepage </s:a> in step5 page. After clicking on this link it goes to homepage(means step1 page) fine,but it doesn't contain user entered values. I have to maintain all field values in the step1,step2,step3 process. How to achieve this problem.
Please any one can give suggestion.

IF you are using session map to persist values being entered by the user, i believe they should be available in the session until you have not removed them from the session or session expired.more over when you do redirect a new request -response cycle started by the framework and a new value stack will be created that means all old values will be lost.
From your description i believe you are creating a wizard like functionality and if this is the case i believe struts2 provide a more elegant and flexible solution
ScopeInterceptor
This is designed to solve a few simple issues related to wizard-like functionality in Struts
Still you need to show how you trying to show the values in the form being filled by the user if something fails or when user is already exists in the system as described in your case.In this case you need to fetch object/data from the session.

I'm looking for a good Rails source for this

I'd like a good source on how to set up controller actions and forms for creating a resource inside the view of another resource that it belongs_to...

Set up your controllers as you would normally. You'll need to use the nested attributes feature of Rails. This enables you to create children objects at the same time as creating their parent using one form.
This is my go-to link for nested attributes. The only change you will need to make if you are running Ruby 1.9.2 is in the setup_person helper. returning has been deprecated so you can change it to:
def setup_person(person)
person.tap do |p|
p.children.build if p.children.empty?
end
end
In typical Rails style, this will just work using standard controllers for each of your resources.
Other links
http://weblog.rubyonrails.org/2009/1/26/nested-model-forms
http://jeffperrin.com/2009/06/04/rails-nested-forms-and-collection_select/

I don't have a web source that documents what I usually do, but I created a gist that documents what I do most often here: https://gist.github.com/900241
The premise of the gist is that you have a project model with many project roles, and you want to edit many project roles in the project form. This is pretty much the classic accepts_nested_attributes_for scenario, and just about any page that talks about it will give you a decent writeup. The problem is, the solutions I've seen have always involved some seriously messy obtrusive JavaScript that escaped your entire form view and threw it in the onClick method of a link. I recently came up with a cleaner unobtrusive approach using jQuery templates.
You don't have to do a thing to your ProjectsController when you move to a nested model. Everything Just Works at the controller level, and you don't even need a ProjectRolesController. (This is why I didn't bother including them in the gist.) At the model level, it's just standard accepts_nested_attributes_for. Where it gets interesting is in the view.
The project form has two form_for blocks: one rendering a jQuery template, and another rendering the project roles form. The jQuery template in turn just renders the project roles form (mmm DRY!), but from within a <script> tag, and with a blank project role. Because the form is within a script tag, it won't get submitted along with the project form, and because the script type is "text/x-jquery-tmpl", this is completely valid markup.
When the user clicks on "Add a Project Role", it fires some jQuery that takes the form within the template, replaces the index with the current date (this is all so this project role can be uniquely identified), and appends it to the end of the project roles section of the form.
When the user clicks on "Delete" next to a project role, it checks to see if this project role is a new record, and if not, it appends a "_delete" hidden field to the end of the form. In either case, it removes the project role div from the DOM.

Prevent change of hidden field

What if I have ChangePassword form with hidden ID field of the user.
BadPerson knows id of GoodPerson. He opens Change Password form with FireBug, changes his Id to GoodPerson's Id, so password changes for GoodPerson.
Of course I can create some server logic that will prevent this, but I think there should be some out of the box solution, which throws if hidden field been changed, which I don't know.
EDIT
Ok, Change Password is a bad example. Any edit form where I have id in hidden field has same problem.

I agree with Darin that forms authentication will take care of the specific problem mentioned above (changing a password). This answer is for the more general question of making sure that a hidden field's value is not changed.
The best solution to this is to include another hidden field which contains a hash of the first hidden field's value. That way if the 1st hidden field is changed you will know it. The generated HTML looks something like this:
<input id="productId" name="productId" type="hidden" value="1" />
<input id="productId_sha1" name="productId_sha1" type="hidden" value="vMrgoclb/K+6EQ+6FK9K69V2vkQ=" />
This article shows how to do it and includes source code for an extension Html.SecuredHiddenField which will take care of the logic for you.

There is nothing that will let you know that a value of a hidden field's value has been changed or not. For a user to change his password it means that he needs to be authenticated. When using forms authentication the ID of the currently authenticated user is stored in an encrypted cookie which cannot be modified.
This is to say that you shouldn't use hidden fields for storing the currently connected user. Just use the built-in FormsAuthentication mechanism in ASP.NET and never store such information in hidden fields. The way ASP.NET knows that the value of the cookie hasn't been tampered with is that it signs it with the machineKey specified in the configuration.
There's an important rule that you should follow when dealing with security and authentication: always use built-in security mechanisms, never roll your own.