Allow editing form data which is submitted by "that" author - Support Forums

This topic has 8 replies, 3 voices, and was last updated 1 year, 8 months ago by Anh Tran.

Creator

Topic

June 8, 2019 at 9:59 PM #14888

Resolved

nfyp145

Participant

Hi Anh

Sorry for my limited PHP knowledge. Please help me.

I create meta box.


add_filter( 'rwmb_meta_boxes', 'your_prefix_register_meta_boxes' );
function your_prefix_register_meta_boxes( $meta_boxes ) {
    $meta_boxes[] = array (
        'title' => 'My Form',
        'id' => 'my_form',
        'post_types' => array(
            0 => 'post',
        ),
        'context' => 'normal',
        'priority' => 'high',
        'fields' => array(
            array (
                'id' => 'phone',
                'type' => 'text',
                'name' => 'Phone',
            ),
        ),
    );
    return $meta_boxes;
}

Create new page - and add shortcode.

[mb_frontend_form id ="my_form" post_fields="title" edit=true]

I setup - only subscribers can submit form.

How can I allow - to edit the form data which is submitted by that author?

I think if other figures out the link pattern /?rwmb-form-submitted=my_form&rwmb-post-id=357 with post-id=xxx at the end, form data can be easily changed even they are not that post author.

Thank you Anh.

Creator

Topic

Viewing 8 replies - 1 through 8 (of 8 total)

Author

Replies
June 10, 2019 at 10:32 AM #14899
Anh Tran
Keymaster
Hi,

This is an interesting question. After checking around, this is the solution I found:

Step 1: set the post author when submitting
```
add_filter( 'rwmb_frontend_insert_post_data', function( $data, $config ) {
    if ( $config['id'] !== 'my_form' || ! is_user_logged_in() ) {
        return $data;
    }

    // Set current post ID as the author of the post.
    $data['post_author'] = get_current_user_id();
    return $data;
}, 10, 2 );
```
Step 2: check if the current user is the post author
```
add_filter( 'do_shortcode_tag', function ( $output, $tag, $attr ) {
    if ( $tag !== 'mb_frontend_form' || $attr['id'] !== 'my_form' ) {
        return $output;
    }

    // Check if current user is the post author.
    $post_id = filter_input( INPUT_GET, 'rwmb-post-id', FILTER_SANITIZE_NUMBER_INT );
    $post = get_post( $post_id );
    if ( $post->post_author != get_current_user_id() ) {
        return 'You are not allowed to edit this post';
    }

    return $output;
}, 10, 3 );
```
June 10, 2019 at 11:13 AM #14903

nfyp145
Participant

Hello Anh

Appreciate for reply! I've been waiting for your solution all day - today.

I try as you guided above.

After adding snippets from step 1 and 2 in functions.php, ONLY admin can see and submit the form.

June 10, 2019 at 11:55 AM #14906

Anh Tran
Keymaster

If you try to edit the existing posts, then only admin can edit them. Because their post author is the admin (technically when submitting posts, the plugin doesn't set the post author, and that falls back to the admin).

This code will work with new submitted posts, where the code in the step 1 sets the proper post author.

For the existing posts, you need to set the post author manually. Then the code will work properly.

June 10, 2019 at 12:23 PM #14908

nfyp145
Participant

But after adding code from step 2...

the form page (where I insert form shortcode) is blocked with message - You are not allowed to edit this post.

So there is no chance for guest or subscriber to submit form.

June 10, 2019 at 1:43 PM #14909
Anh Tran
Keymaster
Sorry, please try this code for the 2nd step:
```
add_filter( 'do_shortcode_tag', function ( $output, $tag, $attr ) {
    if ( $tag !== 'mb_frontend_form' || $attr['id'] !== 'my_form' ) {
        return $output;
    }

    // Check if current user is the post author.
    $post_id = filter_input( INPUT_GET, 'rwmb-post-id', FILTER_SANITIZE_NUMBER_INT );
    if ( ! $post_id ) {
        return $output;
    }
    $post = get_post( $post_id );
    if ( $post->post_author != get_current_user_id() ) {
        return 'You are not allowed to edit this post';
    }

    return $output;
}, 10, 3 );
```
June 10, 2019 at 5:01 PM #14912

nfyp145
Participant

Wow...

That works beautifully. You really are the code poet.

Thank you so much Master Ahn.

February 24, 2020 at 7:58 PM #18387

calpaq
Participant

Dear Tran,
I have the same issue but my scenario is different I am creating a survey form and it is a two step form so I am first saving the form and in second step displaying second step fields depending on first step selection so I am redirecting to edit. This survey is private and so there are no users created in the process, I already created a form in a logged in status so the error didn't occured and now I am testing without user and its showing me 'you are not allowed to edit' can you please tell me how to allow this to guest. It will be helpful for me.

Thanks & Regards,
Calpaq

February 25, 2020 at 4:12 PM #18397
Anh Tran
Keymaster
Hi Calpaq,

In the latest version of the plugin, we added a check for permission, that only users with proper capability can edit posts. You can see it with this code:
```
private function user_can_edit() {
    if ( empty( $this->config['post_id'] ) ) {
        return true;
    }
    if ( ! is_user_logged_in() ) {
        return false;
    }
    $post = get_post( $this->config['post_id'] );
    return $post && ( $post->post_author == get_current_user_id() || current_user_can( 'edit_post', $post->ID ) );
}
```
That means only logged in users which either is the post author or have edit post permission can edit that post. If you allows non-logged in users to edit post, they can simply put any post ID in the URL and thus, can edit any post/page of your site.
Author

Replies

Viewing 8 replies - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.