User database and a personal questionnaire for each user

I run a WordPress based website for a sports club. Due to current COVID-19 restrictions every member must fill out a form answering Covid related questions before they come to every training session. This is currently done using paper.

I would like to move this process online however, I’m not sure how to achieve this.

I was thinking of getting every user to register for an account on the website and then have them complete the form electronically.

Every member has a membership number. Is there a way they could register by putting in the membership number and making a password? This way I wouldn’t have to make all the accounts myself and not everyone can register, only people with an membership number.

I also do not know how to make a form for each user. I would have to be able to keep track of who has completed the form and who hasn’t.

If anyone can help I’d really appreciate it.

Writing a plugin to track user purchase and post back that using API? [closed]

I am writing a plugin to track user purchase and post back that using API.

First the user visit a third party listing site and logs in. Then he clicks the listing and visits a wordpress store with this plugin.
I need to store that user info for 30 days. In that window period if he makes purchase i will pay commission to the third party listing site.

Can you suggest any code examples or free and paid plugins to look at.

OpenID Connect with user bound roles and M2M access

I’m trying to get my head straight about how to properly design a OpenID connect provider and the roles to use with it. I understand the basic of scopes, claims and the different flow one can use. However, I’m trying to get my head around how I should handle the cases where i want M2M access to all resources, and a end user should only have access to his/her data.

My question is more related to how I should handle roles, is it overkill to have roles such as:

  • view_company_data
  • view_all_data

An example could be to provide a public API to access all data, e.g. collaborating companies, while also allowing me to have specific users to only access the data created by him/her. In my case that would be government body that wants access to all data, whilst the business owners should only have access to their own data.

I have an authentication provider, along with several resource servers. The business owners access their data through our client with only read/write permission for their own entity, and the government body wants access through our APIs to access all the data.

I wish to have all access control in a central entity, so generating access tokens on each separate resource server along with default JWT tokens from the authentication server seems like a bad idea. I’d rather handle it all from the authentication server.

Also a user should be able to generate these full-access tokens, given that they have an Global administration role.

So, what would be the right thing to do here?

DEX-focused heavy armour user – mithral full plate vs mithral breastplate

So I’m curious about a matter of best AC for my buck. I’m playing a Dexterity focused heavy armour character (Cavalier to be specific, but I imagine the same answer applies to fighters or any other heavy armour proficient characters), My starting Dex was 16, so without taking into account a Belt of Incredible Dexterity my DEX by level 20 will max at a +5 bonus.

I’m trying to decide whether I am better off using my heavy armour proficiency, getting Mithral Full Plate and accepting that I can onlyuse +3 of my DEX bonus for AC – though I believe I can still get my full DEX bonus to other things such as Weapon Finesse and Deft Strike (when I multiclass into Swordlord later on) and Reflex saves.

Or am I better off with something lighterweight like Mithral BReastplate, even thought he base AC is lower, get to apply more of my DEX to my AC and not take the movement speed penalty for wearing Medium armour which I would for having Full Plate.

I’m not especially confident in my math as to which can get the better overall AC – as I am a front-line tank and really my ideal situation is to maximise AC over any other concerns.

Is nonce useless when user input is reflected within an inline script?

I stumbled upon a web app which is accepting user input and putting it into a variable within script tag.

The script tag does have a nonce attribute.

enter image description here

As am working on bypassing the XSS filter, I had this thought that this practice of reflecting user input within an inline script with nonce attribute beats the purpose of using it.

Is my understand correct or am I missing something here ?

Woocommerce Billing Form not saving User Name or Phone Number?

I have a custom checkout that we’ve built as part of the theme for a site we are building.

When the user presses update to update the shipping or billing address, it wont save the user’s first and last name or their phone number.

I wondered if anyone might be able to help as i am a little stumped here:

<div class="woocommerce-billing-fields">     <?php if ( wc_ship_to_billing_address_only() && WC()->cart->needs_shipping() ) : ?>          <h3><?php esc_html_e( 'Billing &amp; Shipping', 'woocommerce' ); ?></h3>      <?php else : ?>          <h3><?php esc_html_e( 'Billing Address', 'woocommerce' ); ?></h3>      <?php endif; ?>      <?php do_action( 'woocommerce_before_checkout_billing_form', $  checkout ); ?>      <?php $  customer = WC()->customer;?>         <p class="billing-details <?php if(!is_user_logged_in()) {echo 'hide';}?>">             <?php echo             $  customer->get_billing_first_name() . ' ' . $  customer->get_billing_last_name() . ', ';             if(!empty($  customer->get_billing_company())) { echo $  customer->get_billing_company() . ', ';}             echo $  customer->get_billing_address_1() . ', ';             if(!empty($  customer->get_billing_address_2())) { echo $  customer->get_billing_address_2() . ', ';}             echo $  customer->get_billing_city() . ', ' .             $  customer->get_billing_state() . ', ' .             $  customer->get_billing_postcode()             ;?>         </p>         <p class="change-billing-details <?php if(!is_user_logged_in()) {echo 'hide';}?>">Change</p>       <div class="woocommerce-billing-fields__field-wrapper <?php if(!is_user_logged_in()) {echo 'show';}?>">         <?php         $  fields = $  checkout->get_checkout_fields( 'billing' );          foreach ( $  fields as $  key => $  field ) {             woocommerce_form_field( $  key, $  field, $  checkout->get_value( $  key ) );          }         ?>         <p class="update-billing-details updating">Update Billing Details</p>     </div>      <?php do_action( 'woocommerce_after_checkout_billing_form', $  checkout ); ?> </div>  <?php if ( ! is_user_logged_in() && $  checkout->is_registration_enabled() ) : ?>     <div class="woocommerce-account-fields">         <?php if ( ! $  checkout->is_registration_required() ) : ?>              <p class="form-row form-row-wide create-account">                 <label class="woocommerce-form__label woocommerce-form__label-for-checkbox checkbox">                     <input class="woocommerce-form__input woocommerce-form__input-checkbox input-checkbox" id="createaccount" <?php checked( ( true === $  checkout->get_value( 'createaccount' ) || ( true === apply_filters( 'woocommerce_create_account_default_checked', false ) ) ), true ); ?> type="checkbox" name="createaccount" value="1" /> <span><?php esc_html_e( 'Create an account?', 'woocommerce' ); ?></span>                 </label>             </p>          <?php endif; ?>          <?php do_action( 'woocommerce_before_checkout_registration_form', $  checkout ); ?>          <?php if ( $  checkout->get_checkout_fields( 'account' ) ) : ?>              <div class="create-account">                 <?php foreach ( $  checkout->get_checkout_fields( 'account' ) as $  key => $  field ) : ?>                     <?php woocommerce_form_field( $  key, $  field, $  checkout->get_value( $  key ) ); ?>                 <?php endforeach; ?>                 <div class="clear"></div>             </div>          <?php endif; ?>          <?php do_action( 'woocommerce_after_checkout_registration_form', $  checkout ); ?>     </div> <?php endif; ?> 

MySQL password rotation: Using a single user to change other user passwords

I’m currently working on setting up a password rotation strategy for an AWS Aurora/MySQL based application.

My plan was to use a strategy like this…

  • Application usernames/passwords stored in AWS SSM encrypted parameters.
  • Application servers have access to retrieve only their credentials from SSM. Restricted by environment (staging, production etc.)
  • Lambda configured to run periodically to change passwords in MySQL and store the new values in SSM. Lambda to authenticate with the database using AWS IAM roles, rather than using a password.

The last bit is the bit I’m not sure about. This configuration would require the lambda role/user to have permission to change the passwords for all of the other application users.

Is this a reasonable way to do it, from a security perspective? Since the lambda mysql user will use an IAM role rather than a password, this should retrict it’s use to only authorised roles.

The alternative would be to not have a special db user for the lambda to login, but rather to have the lambda function retreive each users credentials from SSM, and then login as each user to change it’s password.

Either way the lambda is going to need to have access to each user.

Assuming I can carefully retrieve access to the "lambda_user" in MySQL, are there any other glaring issues with having a user have authority to change other users passwords?

Also, just to clarify, these are application users, not regular human type users who will be using these credentials.

Protect password from apache user by making file executable-only

I (will) have a binary executable file. It’s only permission is user-execute. It cannot be read by user, group, or world. The owner of the file is the Apache user. I don’t want the apache user to be able to read the file, but I do want the apache user (via a PHP script) to be able to execute the file.

The binary executable file contains a password that is used to decrypt an SSH private key file, as I need the public key to hash the request body & compare against a hashed signature my server is receiving. The executable binary file will receive the request body & hashed signature, do its stuff, and simply return "yes" or "no" to indicate if the request is valid.

I know my executable binary file could still be accessed by root or sudo. Preventing that would be interesting, but is beyond the scope of my question.

Would this be an effective way to protect the password (which is in the binary file that can ONLY be executed) against PHP scripts running under the apache user?

Note: I would like to open-source this setup so want it to be useable on a variety of linux servers. I’m personally on a shared-server so can’t really configure apache or the system, and that would be my target audience.