0

I'm looking for a way to allow guest posts to be created on my website, without users having to log in. I would prefer to do this in a secure way, without a plugin if possible.

I've tried using the WP Rest API to create the post through a form on the website front end, using a nonce to authenticate. However, I got a 401 unauthorized error while creating this as a non logged in user.

Did some research and it does not seem like the REST API can be used to create posts when the user is not logged in.

I did come across mentions about wp_ajax_nopriv_(action), but I couldn't find any recent documentation that seemed reliable.

This is the most reliable documentation I found, and it seemed a little dated.

WordPress REST API - Allow anyone to POST

and

https://www.justinsilver.com/technology/wordpress/creating-ajax-functions-in-wordpress/

I'm including my code below.

createStory() {
    var newStory = {
        'title': $("#title").val(),
        'content': $("#description").val(),
        'excerpt': $("#excerpt").val(),
        'name': $("#name").val(),
        'location': $("#location").val(),
        'status': 'draft' //needed to publish the post, otherwise it is saved as a draft
    };



    $.ajax({
            beforeSend: (xhr) => {
                xhr.setRequestHeader('X-WP-Nonce', siteData.nonce);
            },
            url: siteData.root_url + '/wp-json/wp/v2/helpers-story/',
            type: 'POST',
            data: newStory,
            success: (response) => {
                console.log("New post created");
                console.log(response);
            },
            error: (response) => {
                console.log("Post creation failed");
                console.log(response);
            }
        })
        return false;
    }

This is part of the response I received.

responseJSON: {code: "rest_cannot_create", message: "Sorry, you are not allowed to create posts as this user.", data: {…}}

responseText: "{"code":"rest_cannot_create","message":"Sorry, you are not allowed to create posts as this user.","data":{"status":401}}
mohitb
  • 151
  • 2
  • 11

2 Answers2

0

Thanks @Beneris. I used a simpler solution instead.

I was able to resolve this by creating a custom REST API endpoint, which did not require a logged in user anymore. As this is for public posting, and the submitted content does not get published immediately, that was an acceptable solution.

The default WP REST API endpoints seem to require a logged in user for POST/DELETE requests.

mohitb
  • 151
  • 2
  • 11
-1

footer.php

<script>
    var ajax_url = "<?php echo admin_url( 'admin-ajax.php' ); ?>";
</script>

JS part

var newStory = {
    'action': 'visitor_post',
    'title': $("#title").val(),
    'content': $("#description").val(),
    'excerpt': $("#excerpt").val(),
    'name': $("#name").val(),
    'location': $("#location").val(),
    'status': 'draft' //needed to publish the post, otherwise it is saved as a draft
};

createStory(newStory);

var xhr = null;
function createStory(newStory) {
    if( xhr != null ) {
        xhr.abort();
        xhr = null;
    }

    xhr = $.ajax({
        url: ajax_url,
        timeout: 3600,
        type: "POST",
        cache: false,
        data: newStory,

        beforeSend: function() {
        },
        success: function( data ) {

        },
        error: function( jqXHR, textStatus, errorThrown ) {
            console.log( 'The following error occured: ' + textStatus, errorThrown );
        },
        complete: function( jqXHR, textStatus ) {
        }
    });
}

functions.php 

add_action( 'wp_ajax_visitor_post', 'create_visitor_post' );
add_action( 'wp_ajax_nopriv_visitor_post', 'create_visitor_post' );

function create_visitor_post() {
    $user_id = 1; // create separate user for public post and attach all those posts to that user
    $my_query = array(
        'post_title'    => wp_strip_all_tags( $_POST['title'] ),
        'post_content'  => $_POST['content'],
        'post_excerpt'  => $_POST['excerpt'],
        'post_type' => 'post',
        'post_name' => sanitize_title($_POST['name']),
        'post_status'   => $_POST['status'],
        'post_author'   => $user_id
    );
    $new_post = wp_insert_post( $my_query );
    add_post_meta($new_post, 'location', $_POST['location'], true);
}
Beneris
  • 627
  • 4
  • 11