Gravity Forms – Update Posts circumventing Member role permissions
It seems as though I am running into a bug that exposes a bit of a security hole but I’m not exactly sure where the bug is coming from (i.e. which plugin has introduced it).
I’m using the Members plugin for role based user management.
I’m using the Gravity Forms plugin to create posts from a form.
I’m using the Gravity Forms – Update Post plugin to allow posters to edit their posts through a form.
If I enter the URL for editing a post through the form (i.e. http://www.example.com/edit-post/?gform_post_id=100) and provide a post ID for a post that does not belong to me, I am able to see and make changes to the post through the edit post form. In addition, the post author is changed to whatever account I used to edit the post through the form.
If I use the standard wp-admin edit post page and provide the ID of a post that does not belong to me, I get a message indicating that I am not allowed to edit the post. So maybe the issue is that the Gravity Forms – Update Post plugin is somehow bypassing the role permissions established for my users. The key is that I am allowing users to edit posts they own but nobody else’s and the users’ role has been defined as such.
Any thoughts would be much appreciated.
- The topic ‘Gravity Forms – Update Posts circumventing Member role permissions’ is closed to new replies.