Community Support Forums

[PseudoNyhm]

First, I'd like to say that I'm familiar with WordPress, but brand new to s2Member. I really like the level of support I'm seeing from this product. I've already watched hours of Jason's videos (very useful for evaluation, thank you).

I have a particular use case, which I'm hoping s2Member can accommodate. I have an external application that must check both user authentication credentials and membership level.

More specifically, my users will enter their username/password into an external application. I need to POST the user's username and password to a URL (Web API). I can perform password hashing as needed, and the API can be accessed via HTTPS. The implementation (probably a php script) must ask WordPress whether the credentials are correct and report back the s2Member level (Level 0, Level 1, etc). The response can be set as header fields or as payload text that my application can parse.

Notice that the user does not have to be logged into WordPress. This should be performed entirely as a back-end routine. I can write some custom php code. I've done this already for phpBB, but want to improve my services by using WordPress and s2Member (with PayPal subscriptions).

Does s2Member support such an API? I understand that WordPress user credentials are somewhat out-of-scope, but s2Member seems to take over user registration, so it sounds like a good place to fetch these results.

Thanks in advance for any answers/insight/direction you can give!

[BobTabor]

Hi, I'm just a paying customer and I've never tried anything close to what you're describing ... so, for take this for what it's worth ... HOWEVER ... s2Member DOES USE THE WORDPRESS user database tables. All it does is add 4 new roles and has some code that manages accessibility to certain resources based on those 4 roles and payment to gain those roles.

SO ... if you've already done this for phpBB, I would guess you could do it for WordPress (assuming you can write PHP that hits a standard MySQL database directly), and if you did it for WordPress, then there's nothing special about s2Member (at least with regards to users, roles, etc.)

There are API's available within s2Member, however they are mostly for the currently logged in user. In other words, if you needed to show / hide / perform some custom logic on a given WordPress page, you can use shortcodes or PHP to harness the APIs to perform the logic given the current user's roles. In other words, they do not create an API providing access to a list of members or information about a given member outside of the scope of the currently logged in user.

Hopefully that will tide you over until Monday when you get the official answer from s2Member. Having said all of that, I'm a big fan of what they've done here and as you've noted they have a passionate, active user community (as well as support from their own internal staff).

Good luck!

[PseudoNyhm]

Your quick input is much appreciated, BobTabor.

I am hoping not to directly access the database. For example, in phpBB, I'm able to instantiate the phpBB system, then fetch the user object (essentially from the DB, but through phpBB), then call methods such as phpbb_check_hash(..) and group_memberships(..). This does not require/incur any actual user login (no need for a current session). That's what I'm hoping for.

I will also be using the levels for role-based site control (which is exactly what I need for the user experience on the site), but this external system must be able to operate independent of an actual login session. I look forward to more guidance - thanks!

[Cristián Lávaque]

Thanks, Bob.

I am hoping not to directly access the database. For example, in phpBB, I'm able to instantiate the phpBB system, then fetch the user object (essentially from the DB, but through phpBB), then call methods such as phpbb_check_hash(..) and group_memberships(..). This does not require/incur any actual user login (no need for a current session). That's what I'm hoping for.

Hmm... Well, you could try including wp-load.php in your script, which basically is like loading WordPress so it makes your script much heavier, but you'll be able to use WordPress' and s2Member's functions. E.g.

Code: Select all

require('/wp-load.php');
$user_label = c_ws_plugin__s2member_user_access::user_access_label($user);
 

https://codex.wordpress.org/Function_Reference/
s2Member Codex (code documentation)

I hope this helps.

[PseudoNyhm]

Cristián Lávaque, thank you for the input. I'll be testing soon, and will report back how it worked out.

Questions about s2Member API user_is(123, "s2member_level1")

1. If I rename my membership levels, do I need to replace "s2member_level1", or are these labels constant?
2. Is the WP API user_can(123, "s2member_level1") equivalent (will it recognize the s2Member level names)?
3. I'm assuming the s2Member level roles (capabilities?) are added to a user in addition to the WP native roles (not instead of). The s2Member API docs are a little misleading where they say "All of their other Roles/Capabilities are left untouched" (because s2Member doesn't actually manipulate the built-in WP roles... right?).

[Cristián Lávaque]

a. That's the role, it doesn't change when you edit the label.

b. By the "name" do you mean the label you set for the s2Member levels? WP Admin -> s2Member -> General Options -> Membership Levels/Labels

c. Right, s2Member adds some roles, doesn't edit the WP ones. You can see better what happens with the roles and their capabilities using a plugin like User Role Editor. https://wordpress.org/extend/plugins/user-role-editor/

[PseudoNyhm]

1. Good, then I can code "s2member_level1" into my script without too much concern of it ever changing
2. I meant, is WP API user_can(..) equivalent to s2M's user_is(..) or is there some subtle difference I'm missing? Does one or the other not include the cascading level inclusions? I'm wondering which I need to call for checking level access. WP user_can(..) is working, but I'm wondering if that's 100% correct.
3. Excellent. If I use User Roll Editor plugin, and manually assign some special non-s2Member role/capability (eg, Free Account for Life Special Access role), then they buy a subscription, will s2Member's logic override my role? What about when their subscription ends/canceled; I read elsewhere that s2Member will erase their roles/capabilities and set them back to level 0 only. Is this accurate?

Sorry to bombard you with questions, but I really appreciate the level of expertise. By the way, I had my external application authentication checks working within about an hour this morning (your tip to require wp-load.php started me on the correct path). WP and s2Member APIs are so much better than phpBB (in my opinion as a software developer). I'll provide more details later... thanks again.

[Cristián Lávaque]

It's fine that you ask questions. I'm so glad I'm being of help and that you're making progress.

It's wonderful that the documentation is useful, Jason published it recently after a lot of work. He did a great job with that, but please let us know if you see any way in which it can be improved.

b. current_user_is will check if the user has the role being checked, current_user_can will check if the user has that capability. So for a level 2 user current_user_is('s2member_level1') will be false, but current_user_can('access_s2member_level1') will be true because of the incremental access (level 2 can access content at level 2 and below).

c. If you create a new role, I don't know how you'd sell it with s2member. You could, though, edit the capabilities for one of the roles that s2Member works with. The EOT behavior can be edited from WP Admin -> s2Member -> PayPal Options -> Automatic EOT Behavior.

I hope that helps.

[PseudoNyhm]

I drifted off-topic a bit. To get back on track, here's some pseudocode showing the calls I'm making to load WP, check a given user/pass, and test role/level membership. Notice that none of this occurs during a current user session.

This is called from an external app, which provides the user/pass (eg, via POST over HTTPS). I've removed all the safety/security/control code for this listing, just to show the core procedure:

Code: Select all

require('../blog/wp-load.php');
if (!validate_username($user)) // fail
$userid = username_exists($user);
if (is_null($userid)) // fail
if (!user_pass_ok($user,$pass)) // fail
if (!user_can($userid, 's2member_level1')) // fail
// user has run the gauntlet, signal auth accept
 

It's that last call to user_can($userid, 's2member_level1')) that I'm not sure about. Will this work for s2Member levels (it works with WP roles such as 'administrator'), or should I be calling user_is(..) from the s2Member APIs? Clarification on these methods greatly appreciated.

[Cristián Lávaque]

I think it's fine. I haven't tried user_can yet, just current_user_can, but I'm pretty sure they'd do the same except for the user being checked. To confirm you could just run a couple of tests with test user accounts set at different levels so you see if you get trues or falses.

By the way, I think it's silly that they made the user's ID the first parameter and required, had they left it optional at the end, it could have defaulted to current user and the function would replace the silly current_user_can too.

[PseudoNyhm]

So far I haven't even installed s2Member yet! The amount of knowledge I have gained without even using the tool is a testament to the quality of the support offered here by you (and Jason's videos). This gives me good confidence that I can rely on the product even before I've seen it in action.

One request: The site says that the user documentation is embedded in the plugin. That's fine for reference. However, I'd really like to see the documentation on your site. I'm the type that reads the manual to find out what a product can do. Part of the reason I have to ask questions here is that there is no manual to read up front.

Another (on-topic) question: What's the difference between 's2member_level1' and 'access_s2member_level1'? When is it appropriate to use one versus the other? In which calls should one or the other be used?

[Cristián Lávaque]

About the documentation, I'll ask Jason to consider having it in the website, but since it goes hand in hand with the actual feature, it is much easier to follow in the plugin's admin pages. You can simply install the plugin and read there, It's worked very well for most people so far.

's2member_level1' is a role, 'access_s2member_level1' is a capability.

[PseudoNyhm]

's2member_level1' is a role, 'access_s2member_level1' is a capability.

So they probably aren't interchangeable. Is this the correct way to check a role versus capability:

Code: Select all

user_can($userid, 'access_s2member_level1') // capability check
user_is($userid, 's2member_level1') // role check   

If so, then that makes good sense. Thanks for the clarification. I will install a test platform, including the role management plugin you suggested, to see how things are set up.

[fcp2011]

I have a plugin for this. I had it programmed just for my company to use to register member supported software. what 3 party software are you using? Mine can handle the HTTP Post method. You need to set up a seperate database as well as use another plugin I had created. I would be willing to share it with you if it would work and you could pitch me a few bones to help cover the cost I spent. I spent about 1k on the programmer.

The additional plugin I had made reads the cookie and can post user specific data as well that is stored in a seperate database. It is shortcode based as well.

Let me know more about your 3rd party software. My plugin returns a standard server response of True or False, and a custom message based on some logic (this can be changed as need sorta).

[PseudoNyhm]

fcp2011, thanks for the offer, but I'm using my own software. Based on your description, my situation sounds a little different, but it's good to hear that someone else has had success under similar conditions.

[fcp2011]

Is the software web based or computer based? Mine is computer based if that helps.

The plugin will accept any http post in the proper format. If you need it, it is here.

[Cristián Lávaque]

So they probably aren't interchangeable. Is this the correct way to check a role versus capability:

Code: Select all

user_can($userid, 'access_s2member_level1') // capability check
user_is($userid, 's2member_level1') // role check        

user_can is a WP function since 3.1, but user_is doesn't exist yet, current_user_is exists with s2Member but if you want to check other users you could try to use something like

Code: Select all

$user_level = c_ws_plugin__s2member_user_access::user_access_level($user);
$user_role = c_ws_plugin__s2member_user_access::user_access_role($user); 

Package s2Member\User_Access Class c_ws_plugin__s2member_user_access
viewtopic.php?f=40&t=9477&src_doc_v=110605

If so, then that makes good sense. Thanks for the clarification. I will install a test platform, including the role management plugin you suggested, to see how things are set up.

Cool.

[PseudoNyhm]

I still like having an external manual, but you were right, s2Member's inline documentation is really useful. Just read along and configure each bubble from top-to-bottom. Thoroughly documented, well done.

Everything was poised to test: WordPress, s2Member, my external application, PayPal sandbox, PayPal subscription button (generated by s2Member). I click the button and...

• PayPal Sandbox is currently unavailable due to scheduled maintenance.

Argh. Time to sleep anyway.

[Cristián Lávaque]

lol... I'm sorry that happened, I know it can be frustrating.

I hope you rest well and can finish your test tomorrow.