Community Support Forums

[martonic]

Hi Jason,

s2Member API / Notifications looks useful, but I'm concerned about security - couldn't someone make their own http call and cause bad things to happen?

So, can the same functionality be achieved through hooks?

I see hooks like:

Code: Select all

do_action ("ws_plugin__s2member_during_paypal_notify_during_subscr_signup_wo_update_vars", get_defined_vars ());

Can I use it for this purpose? Thanks!

[Jason Caldwell]

Absolutely. Either/or is fine.
If you can use Hooks/Filters ( I recommend them ).
Otherwise, if you don't know PHP, you can use the s2Member API Notifications.
~ You sound like a developer, so yes... ( use Hooks/Filters )

API Notifications are secure too:
When you configure an API Notification, the URLs being processed are only editable by you, from within your Dashboard, under s2Member -> API Notifications. If you're concerned about security with the receiving URL, you could always configure the API Notification with a secret key in the URL.

Code: Select all

http://mysite.com/do-something-special.php?secretKey=628983412-02342230412984532342

[martonic]

Hi Jason,

Thank you very much.

One issue with using hooks is analyzing the array structure returned by get_defined_vars for each hook we need (registration, payments, refunds etc.). Another issue, then, is not knowing if that array structure will remain stable across possible s2member upgrades. So, maybe notifications are the way to go, after all.

I did not see examples of the notification URLs.

Can I assume that the syntax works like this:

Code: Select all

    http://mysite.com/do-something-special.php?name=%%full_name%%&item=%%item_number%%


Also, would a relative address work as well, for example:

Code: Select all

    /special_directory/do-something-special.php?name=%%full_name%%&item=%%item_number%%


Thanks again.

[Jason Caldwell]

Yes, this is correct:

Code: Select all

http://mysite.com/do-something-special.php?name=%%full_name%%&item=%%item_number%%

Also, would a relative address work as well, for example:

No. Don't use relative URLs. s2Member has to assume that your Notification URLs live externally, and since they are processed with the WP_Http class, they must begin with http:// or https://

One issue with using hooks is analyzing the array structure returned by get_defined_vars for each hook we need (registration, payments, refunds etc.). Another issue, then, is not knowing if that array structure will remain stable across possible s2member upgrades. So, maybe notifications are the way to go, after all.

I think that's a very good observation; and, I agree. There are ups and downs to both methods. API Notifications are less likely to change from one version to the next; because they are built into s2Member as a major feature. Whereas Hooks/Filters are directly in the code, always subject to change.

We make every effort to preserve Hooks/Filters from one version to the next. Normally, we add new Hooks/Filters; very seldom will you see a Hook/Filter removed. That being said, ( you are right ) it's always possible that a change will be required in a future release. If we have to remove a Hook/Filter in order to improve s2Member in a future release, we WILL do that without hesitation.

Alternatively, using a Hook/Filter gives you access to the routine itself. Not only will you have access to more information within a Hook/Filter, you will also be processing your custom code within the execution of the event itself. This has advantages as well. For instance, if you need to do something within your custom routine that requires access to another s2Member function, or to another WordPress function, reference, database class, etc... this is all easier to deal with inside a Hook/Filter.