I’ve been using the new theme customizer and it really has me thinking how awesome it would be to allow potential theme buyers/clients etc to play with the customizer for a demo theme (without being logged in). The customizer is located at :
..wp-admin/customize.php.
So what it would take would be to somehow allow open access to this URL but nothing else in the back end. I suppose there is probably a security issue with this but I thought I’d get a discussion going on it here in case it’s possible to do this safely as I’m sure other people might have the same idea.
So the question is : is there any safe way to allow open access to a single page of the admin?
1
Just an idea:
- Make a user called ‘Guest’ and look up the user ID
- When redirecting your potential clients to the admin page, redirect to a script that’s logging in your clients as the guest user (Code #1)
- Add an WordPress action to disallow the user when logged in as ‘Guest’ and not on customize.php (Code #2)
Code #1
$creds = array(
'user_login' => 'guest_user',
'user_password' => 'guest_user_plain_password'
);
$user = wp_signon( $creds, false );
if ( is_wp_error( $user ) )
echo $user->get_error_message();
else
wp_redirect( 'your_absolute_admin_url' ); exit;
Code #2
add_action( 'init', 'check_guest_user' );
function check_guest_user() {
// Only when in backend and the guest user is logged in
if ( is_admin() && user_id = get_current_user_id() ) {
// Block other pages then custom.php
global $pagenow;
if ( 'customize' != $pagenow )
exit();
}
}
// replace user_id with the user ID of 'Guest'
Only problem with this script is when multiple users are trying the customizer. Saving customization settings per user would make things a lot harder.
It answers your question though, as it is a solution to give access to users to a specific page without them having to register an account.
http://codex.wordpress.org/Function_Reference/wp_signon
