Custom Fields
Re-Envisioned
Support MB Frontend Submission Allow editing form data which is submitted by "that" author

  • Creator
    Topic
  • #14888
    Resolved nfyp145
    Participant

    Hi Anh

    Sorry for my limited PHP knowledge. Please help me.

    I create meta box.

    
    add_filter( 'rwmb_meta_boxes', 'your_prefix_register_meta_boxes' );
    function your_prefix_register_meta_boxes( $meta_boxes ) {
        $meta_boxes[] = array (
            'title' => 'My Form',
            'id' => 'my_form',
            'post_types' => array(
                0 => 'post',
            ),
            'context' => 'normal',
            'priority' => 'high',
            'fields' => array(
                array (
                    'id' => 'phone',
                    'type' => 'text',
                    'name' => 'Phone',
                ),
            ),
        );
        return $meta_boxes;
    }
    

    Create new page – and add shortcode.

    [mb_frontend_form id ="my_form" post_fields="title" edit=true]

    I setup – only subscribers can submit form.

    How can I allow – to edit the form data which is submitted by that author?

    I think if other figures out the link pattern /?rwmb-form-submitted=my_form&rwmb-post-id=357 with post-id=xxx at the end, form data can be easily changed even they are not that post author.

    Thank you Anh.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Author
    Replies
  • #14899
    Anh Tran
    Keymaster

    Hi,

    This is an interesting question. After checking around, this is the solution I found:

    Step 1: set the post author when submitting

    add_filter( 'rwmb_frontend_insert_post_data', function( $data, $config ) {
        if ( $config['id'] !== 'my_form' || ! is_user_logged_in() ) {
            return $data;
        }
    
        // Set current post ID as the author of the post.
        $data['post_author'] = get_current_user_id();
        return $data;
    }, 10, 2 );

    Step 2: check if the current user is the post author

    add_filter( 'do_shortcode_tag', function ( $output, $tag, $attr ) {
        if ( $tag !== 'mb_frontend_form' || $attr['id'] !== 'my_form' ) {
            return $output;
        }
    
        // Check if current user is the post author.
        $post_id = filter_input( INPUT_GET, 'rwmb-post-id', FILTER_SANITIZE_NUMBER_INT );
        $post = get_post( $post_id );
        if ( $post->post_author != get_current_user_id() ) {
            return 'You are not allowed to edit this post';
        }
    
        return $output;
    }, 10, 3 );
    #14903
    nfyp145
    Participant

    Hello Anh

    Appreciate for reply! I’ve been waiting for your solution all day – today.

    I try as you guided above.

    After adding snippets from step 1 and 2 in functions.php, ONLY admin can see and submit the form.

    #14906
    Anh Tran
    Keymaster

    If you try to edit the existing posts, then only admin can edit them. Because their post author is the admin (technically when submitting posts, the plugin doesn’t set the post author, and that falls back to the admin).

    This code will work with new submitted posts, where the code in the step 1 sets the proper post author.

    For the existing posts, you need to set the post author manually. Then the code will work properly.

    #14908
    nfyp145
    Participant

    But after adding code from step 2…

    the form page (where I insert form shortcode) is blocked with message – You are not allowed to edit this post.

    So there is no chance for guest or subscriber to submit form.

    #14909
    Anh Tran
    Keymaster

    Sorry, please try this code for the 2nd step:

    add_filter( 'do_shortcode_tag', function ( $output, $tag, $attr ) {
        if ( $tag !== 'mb_frontend_form' || $attr['id'] !== 'my_form' ) {
            return $output;
        }
    
        // Check if current user is the post author.
        $post_id = filter_input( INPUT_GET, 'rwmb-post-id', FILTER_SANITIZE_NUMBER_INT );
        if ( ! $post_id ) {
            return $output;
        }
        $post = get_post( $post_id );
        if ( $post->post_author != get_current_user_id() ) {
            return 'You are not allowed to edit this post';
        }
    
        return $output;
    }, 10, 3 );
    #14912
    nfyp145
    Participant

    Wow…

    That works beautifully. You really are the code poet.

    Thank you so much Master Ahn.

    #18387
    calpaq
    Participant

    Dear Tran,
    I have the same issue but my scenario is different I am creating a survey form and it is a two step form so I am first saving the form and in second step displaying second step fields depending on first step selection so I am redirecting to edit. This survey is private and so there are no users created in the process, I already created a form in a logged in status so the error didn’t occured and now I am testing without user and its showing me ‘you are not allowed to edit’ can you please tell me how to allow this to guest. It will be helpful for me.

    Thanks & Regards,
    Calpaq

    #18397
    Anh Tran
    Keymaster

    Hi Calpaq,

    In the latest version of the plugin, we added a check for permission, that only users with proper capability can edit posts. You can see it with this code:

    private function user_can_edit() {
        if ( empty( $this->config['post_id'] ) ) {
            return true;
        }
        if ( ! is_user_logged_in() ) {
            return false;
        }
        $post = get_post( $this->config['post_id'] );
        return $post && ( $post->post_author == get_current_user_id() || current_user_can( 'edit_post', $post->ID ) );
    }

    That means only logged in users which either is the post author or have edit post permission can edit that post. If you allows non-logged in users to edit post, they can simply put any post ID in the URL and thus, can edit any post/page of your site.

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.
grid gear info copy caret-up caret-down trash