WordPress MU plugin: Secure invites

I’ve just released a new project – in fact my very first public WordPress MU plugin. As I’ve been working with WordPress MU for a number of years it’s about time I gave something back.

Anyway, the plugin does what it says on the tin. It restricts signups only to people who have been invited. There are a few configuration options, and a page showing some invitation statistics. See more details on the secure invites plugin here.

You can download the plugin from wpmudev.org. As it’s a beta version I expect there to be bugs, so please enter any problems, questions or suggestions you may have below. Thanks.

108 thoughts on “WordPress MU plugin: Secure invites

  1. Great! You just solved quite a few of my problems 🙂 May I ask some more? I have a feature request… this may be a bit complex, but I really could use it, and I believe some others could as well:

    1) Create a capability to invite (make invitations).
    2) Make tools to assign (revoke) this capability to certain, handpicked, users.
    3) Restrict the ability to invite people to users with this capability.

    Need to keep it BP 1.1 compatible.

    Thanks 🙂

  2. @Tuomas

    > 1) Create a capability to invite (make invitations).
    > 2) Make tools to assign (revoke) this capability to certain, handpicked, users.
    > 3) Restrict the ability to invite people to users with this capability.

    So you’d like the ability to restrict the ability to invite to only a selected group of users. Yes, that’s certainly possible. I’ll add it to the to-do list.

  3. Cool 🙂

    How about, if the newly invited people could be categorized as newbies, until manually upgraded/certain period of time?

  4. Hi Tuomas,

    > How about, if the newly invited people could be categorized as newbies, until manually upgraded/certain period of time?

    There is already the ability to restrict new users from inviting people until a certain number of days after they registered. Is that what you mean?

  5. I would not show “Invite Friends” if the registrations are disabled:

    > add to the top of function secure_invite_user_can_invite() :
    > Line ~ 504 in secure_invite.php
    if ( (“all” == get_site_option( ‘registration’ )) ) { // || is_site_admin () || (“user” == get_site_option( ‘registration’ ))
    // proceed further
    } else {
    return false;
    }

  6. I am having trouble locating the invite form. I have located the Invite settings and the Invite statistics pages, but I can not locate the Page to actually invite a new member to my site. Can you tell me where this should be located? Im using WPMU 2.8.6 and Plugin version 1.0. I have looked in both the admin backend and a user backend for the invite form and can not locate it.

  7. I figured it out. My new registered user hadn’t been registered long enough. I ended up not needing this feature of your plugin. So I just removed it and all is good. I did try putting a zero a the amount of days to be registered before use, thinking this would allow a new user to immediately invite new user but that didn’t work.

    I think placing a zero in the number of days before new users can invite making the Invite Friends menu immediately available would be a good feature to add.

  8. Hello Chris,

    Thank you for incorporating the suggested fixes into version 0.7.

    Please find below two more issues fixed.

    1. Old (not invited users) were not able to create extra blogs.
    2. Invitation can be easily reused (a small patch makes it more difficult).

    You only need to add/alter few lines at the top of your code:

    add_action( ‘wp_head’, ‘secure_invites_wp_head’ );

    // this function requires function is_user_logged_in
    // the issue is that mu-plugins are loaded prior to pluggable.php in /wp-settings.php
    // so we need to do this check with wp_head hook

    function secure_invites_wp_head () {
    global $wpdb;

    // when the wp-signup.php page is requested
    $secure_invite_signup_page = get_site_option(“secure_invite_signup_page”);
    if ( ( strpos ( $_SERVER[“REQUEST_URI”], “wp-signup.php” ) !== false || strpos ( $_SERVER[“REQUEST_URI”], $secure_invite_signup_page ) ) && ( get_site_option ( “secure_invite_open_signup” ) != “1” ) && ( ! is_user_logged_in () ) ) // ADDED ! is_user_logged_in () – that the existing users can create new blogs
    {
    // set the signup request as not valid
    $valid = false;

    // check the email address is a valid invitation
    if ( isset ( $_SERVER[“QUERY_STRING”] ) && ( secure_invites_is_valid_email ( $_SERVER[“QUERY_STRING”] ) || secure_invites_is_valid_email ( trim ( @$_POST[“user_email”] ) ) ) )
    {
    $valid = true;
    if ($_SERVER[“QUERY_STRING”] != “”)
    {
    $_POST[‘user_email’] = $_SERVER[“QUERY_STRING”];
    }
    }

    // if the signup request is not valid
    if (!$valid)
    {
    // show the message
    $secure_invite_no_invite_message = get_site_option(“secure_invite_no_invite_message”);
    if ($secure_invite_no_invite_message == “”) { $secure_invite_no_invite_message = “Sorry, you must be invited to join this community.”; }
    // stop processing
    wp_die ($secure_invite_no_invite_message);
    exit ();
    }

    // check if the invitation was used
    // at the moment, we can only check if the e-mail (user) is registered and derive that the invite was used
    // still, some users may change their e-mails and this way achieve miltiple signups
    // for better invite accounting one needs to tag used invitations in “invitations” table
    if ( is_email ( $_SERVER[“QUERY_STRING”] ) ) {
    $found = $wpdb->get_var ( $wpdb->prepare ( “SELECT user_login FROM $wpdb->users WHERE user_email = ‘%s'”, $_SERVER[“QUERY_STRING”] ) );

    if ($found) {
    // stop processing
    wp_die ( ‘E-mail ‘ . $_SERVER[“QUERY_STRING”] . ‘ was already registered. If you are the registrant, please sign in.’); // ?user_login=’ . $_SERVER[“QUERY_STRING”] . ‘
    exit ();
    }

    }

    }

    }

    add_filter (‘signup_user_init’, ‘secure_invites_signup_user_init_filter’);

    // assign default e-mail
    function secure_invites_signup_user_init_filter ($result) {

    if ( “” == $result[‘user_email’] ) {
    if ( is_email ( $_SERVER[“QUERY_STRING”] ) ) {
    $result[‘user_email’] = $_SERVER[“QUERY_STRING”];
    }
    }

    return $result;

    }

  9. When trying to use another custom message with html tags and ” quotes, e.g.

    Sorry, you must be invited to join this community.</p><br /><p>If you were invited but changed your e-mail address on the sign up page, please mind that you need to use the exact address which you received in the invitation.<sup>[<a href=’/faq/sign-up/#personal-invitation’ target=’_blank’>Why?</a>]</sup><br />It will be possible to change your address later.<br />Please go back to the <a href=’javascript:history.back(1);’ onclick=’javascript:history.back(1);’>previous page</a>.</p><br /><p>If you did not receive an invitation from your friends yet, you may consider applying for one on the <a href=’/invite-me/’>open basis</a>.

    I had to use http://php.net/stripslashes

    > N.B.
    > Secure Invite will add as prefix and suffix
    > “” will not work, you will need to use ” quotes

    > Actual FIX:
    > add stripslashes in function secure_invites_wp_head () {
    $secure_invite_no_invite_message = stripslashes ( get_site_option ( “secure_invite_no_invite_message” ) ); // FIXED !!!!!!
    > add stripslashes in function secure_invite_settings()
    $secure_invite_no_invite_message = stripslashes ( get_site_option ( “secure_invite_no_invite_message” ) ); // FIXED !!!!!!

  10. Great plugin! I’ve been using it on my site and love it. You’ve done a great job and I’m grateful for that.

    Like Klaus mentioned back in June, it would be awesome if users had a way to handle the entire invitation process from the Buddypress Bar or the Buddypress Profile instead of having to use the WordPress Dashboard.

    Is there a simple plugin hack to do that?

    Thanks,
    Paul

    🙂

  11. Sorry Paul, there isn’t a simple hack to do that. There are lots of things I’d like to do with this plugin, but I just don’t have very much time at the moment.

    I’ve just updated the plugin thanls to the suggestions from Mark at http://of-cour.se/ to fix slashes problems and allow logged-in users to create further blogs.

  12. no spam!

    Dear Chris,

    I installed this plugin (under instruction), waited a few days, but I do not see a link to an invitation to the console. Other users also do not see myself in this link. The latest version of MU and BP. How to organize the work of this plugin? Thank you for your reply.

    It screens the admin
    http://watch-hub.ru/admin.jpg

  13. Hi Chris,

    Sorry to bother you again, but I’m having issues with version 0.8

    Whenever I uncheck the “Open signup” option in version 0.8 users can’t create new accounts. When they click the link in their email it takes them to a page that’s completely blank (e.g. http://jibenow.com/register?napauleon16@yahoo.com).

    For right now I’ve had to enable an open sign-up on my site. Do you have any idea what’s wrong?

    Thanks,
    Paul

  14. AlexSan: “I installed this plugin (under instruction), waited a few days, but I do not see a link to an invitation to the console.”

    Sorry about this, I’m not sure why it’s not giving you the link. I’ve updated the plugin so it gives HTML comments to explain why a particular user can’t view the invite form. Please look for “

  15. Yes, the actual sign up page on the site is: http://jibenow.com/register

    The “Signup page” field is set to “register”.

    That’s what my settings were in version 0.7 and as far as I know everything worked correctly then. I would revert back to 0.7 if I could but the WordPress plugin repository only shows version 0.5 and 0.8.

    Perhaps there was a minuscule change in version 0.8 that’s causing the error? I’m running WP MU 2.8.6 and BP 1.1.3

    Any thoughts?
    -Paul

  16. I tried updating to 0.8.1 but again no luck. Also, when I was logged out and clicked the “register” button ordinarily the register page would say “Sorry, you must be invited to join this community” but nothing shows at all. Just a blank screen.

    I see that you’ve added 0.7 back in the repository so I’ve reverted back to that. Everything appears to be fine again now that I’m using 0.7 . If you’re logged out and click the register button you’ll see the “Sorry, you must be invited to join this community” message. Also, when invitees click the links in their emails the register page displays correctly (instead of being blank).

    Is it possible that 0.8 (and 0.8.1) is neglecting to call a certain file that 0.7 does? Like maybe wp_footer.php or something?

  17. Great, glad you got it working again. 0.8 was (to my shame) a rushed release. I’ll try to make some time to fix it properly.

  18. Chris,

    I’m having similar problems with 0.8.1 to those described by other users. I just checked the repository, and 0.8.2 is not available there. I checked the plugin SVN and don’t see the newest version there either. Any ideas where I can get version 0.8.2?

    Thanks,
    Erick

  19. Hi Chris and everyone! Just want to let you know that this plugin doesn’t work with BP 1.2. Users can easily circumvent this plugin. I’ve emailed about the specifics.

    Thanks!

  20. Oh, perhaps I was to quick. You can set this in the admin panel. Still it seems that it’s not working as before. I’ll have to try it a little more.

  21. Hi Chris,

    I’ve updated to version 0.8.3 (I’m still using BP 1.1.3) and everything’s working like a charm. The only thing I’m still bothered by is that whenever a member invites a friend the “From” field is always “noreply@jibenow.com” (which looks kind of spammy).

    I looked around at the source code and saw that the plugin is supposed to be using the email address of the invitation sender. Do you have any idea why this isn’t the case?

    Thanks,
    Paul

    🙂

  22. I’m now using BP 1.2 and WPMU 2.9.1 with the WP From Email plugin and everthing’s working fine. So if I could make feature requests for 0.8.6 then here’s a few.

    Currently I have to manually delete each invite and then let the page reload 1 by 1. This can get to be a big hassle as a site grows. With hundreds of expired invites to wade through every day this could be really time consuming.

    Automatic deletion of expired invites
    Mass deletion of invites
    Ability to automatically increase the number of invites for certain users based upon their tenure on the site
    Ability to arbitrarily increase the invites for certain users (perhaps you’ve appointed them in charge of a recruitment drive)

    Those are my thoughts for now.

    Thanks again for the plugin,
    – Paul

  23. I’m using bp 1.2.2.1 with wpmu 2.9.2. I installed this plugin and it can be configured through the control panel. However, I cannot find the “invite friends” button in the dashboard section or anywhere else.

  24. Oh, another request would be Buddypress integration for users. That way users could invite friends right from main Buddypress site instead of having to go into their blog dashboards.

  25. I had this working before upgrades of both wpmu and this plugin, now I uploaded it to mu-plugins and nothing shows up in admin at all.

    and if I try and put in plain plugins I get

    Parse error: syntax error, unexpected T_DNUMBER, expecting ‘,’ or ‘;’ in /home/*****/public_html/aaw/wp-content/plugins/wordpress-mu-secure-invites/secure_invite.php on line 689

    Please help

  26. Hi Chris,

    First of all; Thanks for creating such an awesome plug-in, especially with the new rating system in the 0.9 version. It works like a charm from the WordPress back-end. However, when I use the in a specific post (pulled from an if-statement in the template) the form just returns my 404-page when trying to send invites (the address bar returns http://myaddress.com/?send=invites).

    I’m running WPMU 2.9.2 with version 0.9 of the plug-in.

    I’ve been trying to fiddle around with the plug-in code, but no success so far. Any ideas?

    Thanks,
    Rune

  27. Elizabeth: please upgrade to the latest version and ensure it is installed properly. Then let me know if you still have the same problem.

  28. Rune: if you can put a link to your site here I’ll take a look. Otherwise please email me at gmail.com, name “mrwiblog”.

  29. i’m sorry please ,ignore my reply !!!
    My problem is with login redirection like as

    Force User Login
    Registered Users Only 2
    Registered Users Only

    how can i set one of These plugins with Secure invitation plugin ?
    sorry for my bad english

  30. Hey

    Thanks for the plugin.

    I’m using the latest versions of WPMU, buddypress and your plugin (and the default buddypress theme)

    I found a couple of things…

    1) The “invite” feature doesn’t show in Google Chrome (it does in firefox).

    2) The registration link does not work in the email – when I click the link I get “Sorry, you must be invited to join this community.” – which kinda defeats the purpose. 🙂

    Are these bugs (the chrome things looks to be) – or just me doing something wrong ?

    Thanks

    Ojo

  31. Also…

    it looks as if someone signs up with a different email address than the one in the email – it doesn;t get counted against the invite.

    Ojo

  32. Hi Chris,

    I’ve located a few other bugs with 0.9.2

    1. Checkboxes: If one of the “Buddypress theme settings” checkboxes is checked (in my case “At the top of the default sidebar”) I can’t seem to uncheck it. Whenever I do and then click “Save Settings” the page will refresh and the checkbox is still marked. However if I check one of the other boxes and uncheck the original I can save the settings. But there’s no way for me to uncheck all of them.

    2. Group Invites: Apparently a function is being called incorrectly or something. If one of the members of a group (in this case the “Feedback” group) clicks “Send Invites” to invite other members of the site to join the group he’s presented with the “Invite a Friend” form from the Secure Invites plugin rather than the group invites form from the Buddypress Core.

    So right now members can invite non-members to join the site but can’t invite current members to join their groups. Here are 2 screenshots:

    http://jibenow.com/files/2010/04/WPMU-Secure-Invites-0.9.2-Invite-Friends-to-Groups-01.png

    http://jibenow.com/files/2010/04/WPMU-Secure-Invites-0.9.2-Invite-Friends-to-Groups-02.png

    Thanks,
    Paul

  33. Ojo:

    > 1) The “invite” feature doesn’t show in Google Chrome (it does in firefox).

    Can you provide a screenshot or a URL where I can see this for myself, please? I find it very strange that it would work in one browser and not in another.

    > 2) The registration link does not work in the email – when I click the link I get “Sorry, you must be invited to join this community.” – which kinda defeats the purpose.

    Did you have any strange characters in your invited email address? Are you sure the link you went to was correct (some email clients can break long links)?

    > it looks as if someone signs up with a different email address than the one in the email – it doesn;t get counted against the invite.

    I’m afraid so. I was aware of that but it wasn’t worth the development time to try to work around it. I think that is actually not a common problem.

    Paul:

    > 1. Checkboxes: If one of the “Buddypress theme settings” checkboxes is checked (in my case “At the top of the default sidebar”) I can’t seem to uncheck it. Whenever I do and then click “Save Settings” the page will refresh and the checkbox is still marked. However if I check one of the other boxes and uncheck the original I can save the settings. But there’s no way for me to uncheck all of them.

    I’ve just submitted a new version which fixes this (you need to check the new “Don’t use automatic BuddyPress integration” checkbox). The new version will be available in a few hours when it has been checked by the WordPress guys.

    > 2. Group Invites: Apparently a function is being called incorrectly or something. If one of the members of a group (in this case the “Feedback” group) clicks “Send Invites” to invite other members of the site to join the group he’s presented with the “Invite a Friend” form from the Secure Invites plugin rather than the group invites form from the Buddypress Core.

    Ah, good catch. I’ve just submitted another new version with a fix for this which I’ve tested on my local BuddyPress install. Hopefully it will work OK for you now.

    I’m not sure why the plugin would mess up your custom header, but hopefully the fix I just released will stop that bug happening.

  34. Thanks Chris.

    Ojo, I had the same problem until I realized that I needed to change the “Sign up” field in the “Signup” section. The default is “example.com/wp-signup.php” which should actually read “example.com/register”. Just replace “register” with the name of your signup page.

  35. Hi Chris,

    I have an additional feature request which I hope isn’t beyond the scope of the plugin. Sometimes it becomes necessary to open up site registration for a group of people that I don’t know personally and that are far too large for me to invite individually. However, I don’t want to open up site registration completely for the public at large.

    An example would be if my community is for school teachers. Normally the members on the site (i.e. teachers) would invite their other teacher friends. But then let’s say that my site is a vendor at a teacher convention and we would like to open up registration to all attendees to the conference… but not for anyone else (unless they’re invited the regular way by existing members).

    Could we integrate a “Multiple Invitation Codes” feature? Here’s a similar plugin (it only features an invitation code though, not member invites).

    Basically, I could include one code (e.g. “TEACONF”) in the brochures that my booth has at the teacher’s conference, and then I could print another code (e.g. “MAGPROMO”) in an advertisement in a teacher’s magazine.

    Thanks,
    Paul

  36. Oh, and one way that this could work is when a visitor to the site clicks on the register button they’re redirected to the normal “You must be invited to join this community page”. Then one paragraph below would be a text field saying “If you have an invitation code please enter it now”.

  37. Is there an easy way to have a “request invite” form? Perhaps so you can collect interested users while your site is in testing or something? Bulk invites, like the invite en masse plugin, would then be very handy. Thanks for all your work. Cheers!

  38. Hi!

    I am running a website which is open for registered users only (BP 1.1.3, WPMU 2.9.1.1, Secure Invite 0.9.6). I have installed the SI plugin as desired. The invite form works and I have tested the functionality on some test users. Emails are sent OK, new invites were saved in the database like this:
    “1”;”2″;”tell@poradci-sobe.cz”;”2010-05-22 23:27:21″
    “2”;”2″;”tell@poradci-sobe.cz”;”2010-05-22 23:38:35″
    “3”;”2″;”martas@poradci-sobe.cz”;”2010-05-23 00:18:45″
    “4”;”2″;”kokotic@poradci-sobe.cz”;”2010-05-23 00:42:03″
    “5”;”2″;”satan@poradci-sobe.cz”;”2010-05-23 01:25:56″

    BUT: when I look at the Secure invite admin page (statistics – pr month, invitation list…) I see “No invitation sent yet”. Which is obviosly not true.

    What is wrong?

    Thanks a lot for helping me out!

    Martin

  39. Paul:

    “when a visitor to the site clicks on the register button they’re redirected to the normal “You must be invited to join this community page”. Then one paragraph below would be a text field saying “If you have an invitation code please enter it now”.”

    This is a good idea. I’ll bear it in mind for a future version.

    james:

    “Is there an easy way to have a “request invite” form? Perhaps so you can collect interested users while your site is in testing or something? Bulk invites, like the invite en masse plugin, would then be very handy.”

    Both good ideas too. I’ll bear these in mind.

  40. I’ve tried just about every configuration with my WPMU buddypress install and can’t get past the “Sorry, you must be invited to join” message after an invited person clicks their invite link.

    my signup page is set to : wp-signup.php,wp-login.php?action=register,/register

    and I’ve tried both wp-signup.php and register.php as my email link but get the same results.

    The site registration is set to “Both sites and user accounts can be registered.”

    Are there any other things that i should check? Thanks

Comments are closed.