The field shortcode can be used to display any of the registration fields for a logged in user. The field parameter corresponds to that field’s option name (found in the WP-Members Fields option tab; this is also the usermeta).
The field shortcode can also be used to display data about other users. This can be passed in an “id” field. The id must be either the numeric user ID of a specific user or “get” to indicate that the user ID will be passed through a querystring as “uid” (i.e. http://yoursite/your-page/?uid=123)
You can specify a field’s meta key as a shortcode attribute or you can use the attribute field=”meta_key” (where “meta_key” is the meta key for the desired field).
Note that because this shortcode can display user data, there are security implications for its use. If you do not use it at all, the recommendation is to leave this option disabled. Otherwise, make sure you are familiar with the security implications outlined below.
Usage examples:
Display the user’s username:
[wpmem_field user_login]
[wpmem_field field="user_login"]
Display the user’s first name last name:
[wpmem_field first_name] [wpmem_field last_name]
[wpmem_field field="first_name"] [wpmem_field field="last_name"]
Display email for a specific user (ID=123):
[wpmem_field user_email id="123"]
[wpmem_field field="user_email" id="123"]
Display first name/last name for an ID passed through a querystring (uid):
[wpmem_field first_name id="get"] [wpmem_field last_name id="get"]
[wpmem_field field="first_name" id="get"] [wpmem_field field="last_name" id="get"]
Additional Attributes
There are some additional attributes that can be used, primarily for specific field types.
Select (dropdown), Multiple Select, Multiple Checkbox, and Radio Fields:
These fields generally have a different saved (stored) value than what is displayed to the user (such as the case of a dropdown select field). The shortcode default is to display the “display” value of the field rather than the saved value. However, in cases where the saved value is needed, you can add the attribute display=raw to the shortcode. The following example would display the raw/saved value for the field my_dropdown:
[wpmem_field my_dropdown display=raw]
Textarea Fields:
The textarea field type also accepts the display=raw attribute as outlined above. In the case of a textarea field, this allows the field’s data to be displayed without converting line breaks to the HTML <br> tag.
Image and File Fields:
File field types display a link to the file. Image field types display the image. If this raw ID value is desired, then the attribute display=raw can be used.
[wpmem_field my_file display=raw] would display the post ID for the file.
A “file” field type will display a link to the file, using the title parameter from the post.
An “image” field type will display a thumbnail of the image. This can be changed using the “size” attribute. The value can be the following:
- thumbnail
- medium
- large
- full
- width,height
Examples
[wpmem_field my_image size=medium] would display the medium size of the image where “my_image” is the meta key (option name) of the field.
[wpmem_field my_image size="100,200"] would display the image my_image at a size of 100px wide by 200px high.
Date Fields:
The HTML “date” field type will automatically format its output based on the localized date format setting you have in your WordPress General Settings.
If you want to display this field in another format, you can apply the attribute “format” based on PHP date format parameters.
Clickable Links:
Any field that holds content that may be displayed as a link (either a URL or an email address) can be made clickable by applying the “clickable” attribute set to true. This can be individual field data such as user_email (making the link a mailto: link) or user_url (making the URL clickable), or it can be a text or textarea field type that contains a URL or email address in which case that piece of the content would be made into a clickable link.
Example:
[wpmem_field user_email clickable=true]
A (not fully exhaustive) List of Parameters from the default install:
WP Default Fields:
- ID
- user_login/username
- user_email
- user_registered
- user_url
- first_name
- last_name
- description
WP-Members Default Fields:
In addition to the above list, any fields that are in the WP-Members fields array (any meta keys in the WP-Members Fields tab).
Additional Fields:
Any fields that you might add to the plugin’s registration process can be displayed in this same way. The value you give to the Option Name is the parameter that you would use. [See Choosing Fields for how to set up custom fields in the plugin registration]
Filter Available Meta Keys
While the shortcode is by default limited to the fields noted above, there is a filter you can use to include additional meta keys. This may include meta keys from/used by other plugins. Please note that you understand any security implications when including custom meta keys in the available fields array.
Security Implications
Note that there are some security implications of using the [wpmem_field] shortcode. If you have any users who can edit posts, but do not have access to user data, they can potentially expose certain user data by using the shortcode in a post (or other area they are allowed to edit). The plugin has some different settings available for using or disabling this shortcode in order to mitigate these risks as outlined below.
Am I at risk?
First, make sure you have the most recent plugin version 3.4.9 or higher installed.
If your WP installation relies only on administrators for editing posts and managing users, and there are no other roles that can edit posts, then you really do not have any risks with this shortcode. However, if you do not use the shortcode at all, then go ahead and leave it disabled anyway.
Can you clarify that?
Yes. There is no risk regarding user data for general display in most cases. It is only if you have an authenticated user who can edit posts but does not have access to user data. An untrusted user with “edit_posts” permissions could potentially use the shortcode to view certain user fields.
Shortcode Options
Because this shortcode can display user meta data, there are some security options in the plugin’s settings. You can choose from one of the following:
- Fully disabled
- Partially enabled
- Fully enabled
If you do not use it at all, use option #1 – fully disabled. There may not be any risks to you (see “Am I at risk?” above), but if you don’t need it, don’t enable it; then you don’t have to worry about it.
If you use this in a front-end user edit situation, you might want to consider the “partially enabled” option. In this configuration, the shortcode result will only be parsed (i.e. display user data) if the viewing user has “list_users” capability.
If you use the shortcode for displaying user information on the front end, you will want to have the shortcode set as “fully enabled”. In order to protect certain user information from being inadvertently exposed, this option defaults to ONLY allowing the meta keys that are in the WP-Members fields array (those meta keys in the Fields tab, with the exception of password and fields that are not stored, specifically confirm_password and confirm_email). Also allowed are the list of WP default fields listed above. Other WP default user data in the user object is specifically excluded and will not be displayed.
If you have additional meta fields you need to allow the shortcode to display, you can use the wpmem_field_sc_meta_keys
filter hook to include them in the array of allowed meta keys.