WordPress.org

Ready to get started?Download WordPress

Forums

Gravity Forms - Update Post
Gravity Forms - Update Posts circumventing Member role permissions (7 posts)

  1. tomdaquino
    Member
    Posted 2 years ago #

    Hello,

    It seems as though I am running into a bug that exposes a bit of a security hole but I'm not exactly sure where the bug is coming from (i.e. which plugin has introduced it).

    I'm using the Members plugin for role based user management.
    I'm using the Gravity Forms plugin to create posts from a form.
    I'm using the Gravity Forms - Update Post plugin to allow posters to edit their posts through a form.

    If I enter the URL for editing a post through the form (i.e. http://www.example.com/edit-post/?gform_post_id=100) and provide a post ID for a post that does not belong to me, I am able to see and make changes to the post through the edit post form. In addition, the post author is changed to whatever account I used to edit the post through the form.

    If I use the standard wp-admin edit post page and provide the ID of a post that does not belong to me, I get a message indicating that I am not allowed to edit the post. So maybe the issue is that the Gravity Forms - Update Post plugin is somehow bypassing the role permissions established for my users. The key is that I am allowing users to edit posts they own but nobody else's and the users' role has been defined as such.

    Any thoughts would be much appreciated.

    Thanks,

    Tom

    http://wordpress.org/extend/plugins/gravity-forms-update-post/

  2. tomdaquino
    Member
    Posted 2 years ago #

    Ok, I have to apologize for overlooking an important detail on the plugin page. I missed the fact that filters must be applied to restrict editing capabilities to the author only.

    Now I just have to understand how the filters work. I'm not much good with PHP beyond very simple editing. Any assistance with creating a filter that restricts editing a post to the post's author only would be greatly appreciated.

    Thanks,
    Tom

  3. tomdaquino
    Member
    Posted 2 years ago #

    It turns out this was far more simple than I anticipated. Just change the 'update' setting from 'default' to 'author' as shown below:

    $gform_update_post = new GFUpdatePost();
    
    class GFUpdatePost
    {
      public $options = array(
        'request_id' => 'gform_post_id'
        ,'post_status' => 'default'
        ,'capabilities' => array(
          'update' => 'author'
          ,'delete' => 'disable'

    It wasn't initially obvious to me (but I blame that on my current /scared of PHP status) so maybe this will help someone else out in the future.

    Best,
    Tom

  4. MarceFX
    Member
    Posted 1 year ago #

    Hi,

    I was also struggling with this issue until I got to the post. Thanks for the help.

    Now, users can only edit their posts, but when I try to edit another user post, the gravity forms loads, although with no data. Can I redirect a user to another page when he tries to edit another user post?

    Example:
    1.Author creates post with ID=36

    a: He tries to edit using this URL: site.com/edit-page?gform_post_id=36--> RESULT: ok

    b: He tries to edit another user post (ID 333): site.com/?gform_post_id=333 (RESULT: Form loads in blank. I want to automatically redirect the user to another page when the URL is submitted)

    Thank you

  5. jeffpurcell
    Member
    Posted 1 year ago #

    There may be a cleaner way to do this, but what I did was I created a custom page template in my theme and added this at the top:

    if( !is_user_logged_in( ) ) {
        nocache_headers();
        header("HTTP/1.1 302 Moved Temporarily");
        header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
        header("Status: 302 Moved Temporarily");
        exit();
    }
    
    $tmp = get_post( $_GET['gform_post_id'] );
    $author = $tmp->post_author;
    $user = get_current_user_id(); 
    
    if( $_GET['gform_post_id'] <= 0 || $user != $author ) {
        echo "HERE";
        nocache_headers();
        header("HTTP/1.1 302 Moved Temporarily");
        header('Location: ' . get_settings('siteurl') . '/access-denied/');
        header("Status: 302 Moved Temporarily");
        exit();
    }

    The first if statement redirects to the login page if the user is not logged in.

    The second if statement redirects to an "Access Denied" page if the user is not the author of the post id passed in gform_post_id.

    Like I said there may be a better way to do this, but the above works for me.

  6. redwall
    Member
    Posted 1 year ago #

    Hi,

    I also stumbled across this needing help with the same issue.

    I am also not so great at PHP.

    Can you let me know where to paste the code above? Is it into my functions.php or is it in the code of the plugin somewhere?

    $gform_update_post = new GFUpdatePost();

    class GFUpdatePost
    {
      public $options = array(
        'request_id' => 'gform_post_id'
        ,'post_status' => 'default'
        ,'capabilities' => array(
          'update' => 'author'
          ,'delete' => 'disable'
  7. redwall
    Member
    Posted 1 year ago #

    sorry, should of just checked the code before posting this silly question!

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic