WordPress.org

Ready to get started?Download WordPress

Forums

Gravity Forms Directory
Users can easily view and edit entries created by other users (9 posts)

  1. tzeldin88
    Member
    Posted 1 year ago #

    The entries in the Directory can be limited to those created by the logged-in user, with this setting:
    __ Display entries only the the creator of the entry (users will not see other people's entries). (limituser)

    When he views a Single Entry, the url can easily be changed so he can view an entry created by another user. And if Editing is enabled, he can EDIT the entry of another user!

    URL when viewing a legit single entry (one created by this user)
    http://site.com/wp/my-account/my-entries/entry/4/1/

    But he can easily change that url to
    http://site.com/wp/my-account/my-entries/entry/4/4/
    and see the entry whether he created it or not.

    And if the EDIT url var is there too
    http://site.com/wp/my-account/my-entries/entry/4/4/?edit=9b5f7b8e6a
    he can edit the entry.

    http://wordpress.org/extend/plugins/gravity-forms-addons/

  2. Zack Katz
    Member
    Plugin Author

    Posted 1 year ago #

    Well that's obviously not good or right. Thanks for reporting.

  3. tzeldin88
    Member
    Posted 1 year ago #

    Hi Zack. Just wondering if this was addressed in the 3.3 / 3.3.1 releases? I didn't notice it in the changelog.

  4. turtletnt
    Member
    Posted 1 year ago #

    We were able to work around this (at lease for the viewing portion) by modifying the lead_detail function in the gravity-forms-addons.php file and resusing the logic from the edit_lead_detail function.

    The code now seems to handle the modification of the URL when viewing record details.

    We inserted the following code starting at line 564 (directly before the call to extract($options). It essentially short circuits the generation of the detail screen and displays a notice to the user.

    // If either of these two things are false (creator of lead, or admin)
                if(!(
    
                    // Users can edit their own listings, they are logged in, the current user is the creator of the lead
                    (!empty($options['useredit']) && is_user_logged_in() && $current_user->id === $lead['created_by']) === true || // OR
    
                    // Administrators can edit every listing, and this person has administrator access
                    (!empty($options['adminedit']) && self::has_access("gravityforms_directory")) === true)
                ) {
                    // Kick them out.
                    _e(sprintf('%sYou do not have permission to view this form.%s', '<div class="error">', '</div>'), 'gravity-forms-addons');
                    return;
                }
  5. turtletnt
    Member
    Posted 1 year ago #

    Just looking at this again, the code above will require editing of posts to be enabled, which was a requirement for our client. The snippet below may be more correct:

    // If either of these two things are false (creator of lead, or admin)
                if(!(
    
                    // User is are logged in and is the creator of the lead
                    (is_user_logged_in() && $current_user->id === $lead['created_by']) === true || // OR
    
                    // this person has administrator access
                    (self::has_access("gravityforms_directory")) === true)
                ) {
                    // Kick them out.
                    _e(sprintf('%sYou do not have permission to view this form.%s', '<div class="error">', '</div>'), 'gravity-forms-addons');
                    return;
                }
  6. turtletnt
    Member
    Posted 1 year ago #

    And one final edit, *something* changed when our wordpress install was upgraded to the latest. I'm not sure what (and i can't imagine this is what really broke us, but it was working the night before and confirmed by 3 testers), but we had to change the === to == for comparison operator on the user->id to $lead['created_by'] comparison.

    (is_user_logged_in() && $current_user->id == $lead['created_by']) === true || //
  7. 39images
    Member
    Posted 1 year ago #

    Hi Zack,

    I've gotten the edit entry to work, but I'm having a slight display issue. One of the Gravity forms I've created allows a coach to enter his player roster. For that, I'm using a List field with multiple columns enabled. When we got to edit one of those roster submissions, because there are multiple columns in the list, the entry table goes waaaaaaaaaaay off the page and I can't even see the end of it. Is there a way to force the display of the entry table to be confined to the website's content area?

    Thanks! :)

  8. 39images
    Member
    Posted 1 year ago #

    Would appreciate any possible solutions as soon as you have time. Thanks!

  9. tabboy
    Member
    Posted 11 months ago #

    I don't seem to be able to stop users that are not logged in from viewing a URL link to a form entry! Help please :)

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic