Gravity Forms – Update Posts circumventing Member role permissions

  • Hello,

    It seems as though I am running into a bug that exposes a bit of a security hole but I’m not exactly sure where the bug is coming from (i.e. which plugin has introduced it).

    I’m using the Members plugin for role based user management.
    I’m using the Gravity Forms plugin to create posts from a form.
    I’m using the Gravity Forms – Update Post plugin to allow posters to edit their posts through a form.

    If I enter the URL for editing a post through the form (i.e. https://www.example.com/edit-post/?gform_post_id=100) and provide a post ID for a post that does not belong to me, I am able to see and make changes to the post through the edit post form. In addition, the post author is changed to whatever account I used to edit the post through the form.

    If I use the standard wp-admin edit post page and provide the ID of a post that does not belong to me, I get a message indicating that I am not allowed to edit the post. So maybe the issue is that the Gravity Forms – Update Post plugin is somehow bypassing the role permissions established for my users. The key is that I am allowing users to edit posts they own but nobody else’s and the users’ role has been defined as such.

    Any thoughts would be much appreciated.

    Thanks,

    Tom

    https://www.ads-software.com/extend/plugins/gravity-forms-update-post/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter tomdaquino

    (@tomdaquino)

    Ok, I have to apologize for overlooking an important detail on the plugin page. I missed the fact that filters must be applied to restrict editing capabilities to the author only.

    Now I just have to understand how the filters work. I’m not much good with PHP beyond very simple editing. Any assistance with creating a filter that restricts editing a post to the post’s author only would be greatly appreciated.

    Thanks,
    Tom

    Thread Starter tomdaquino

    (@tomdaquino)

    It turns out this was far more simple than I anticipated. Just change the ‘update’ setting from ‘default’ to ‘author’ as shown below:

    $gform_update_post = new GFUpdatePost();

class GFUpdatePost
{
  public $options = array(
    'request_id' => 'gform_post_id'
    ,'post_status' => 'default'
    ,'capabilities' => array(
      'update' => 'author'
      ,'delete' => 'disable'

    It wasn’t initially obvious to me (but I blame that on my current /scared of PHP status) so maybe this will help someone else out in the future.

    Best,
    Tom

    Hi,

    I was also struggling with this issue until I got to the post. Thanks for the help.

    Now, users can only edit their posts, but when I try to edit another user post, the gravity forms loads, although with no data. Can I redirect a user to another page when he tries to edit another user post?

    Example:
    1.Author creates post with ID=36

    a: He tries to edit using this URL: site.com/edit-page?gform_post_id=36–> RESULT: ok

    b: He tries to edit another user post (ID 333): site.com/?gform_post_id=333 (RESULT: Form loads in blank. I want to automatically redirect the user to another page when the URL is submitted)

    Thank you

    There may be a cleaner way to do this, but what I did was I created a custom page template in my theme and added this at the top:

    if( !is_user_logged_in( ) ) {
    nocache_headers();
    header("HTTP/1.1 302 Moved Temporarily");
    header('Location: ' . get_settings('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
    header("Status: 302 Moved Temporarily");
    exit();
}

$tmp = get_post( $_GET['gform_post_id'] );
$author = $tmp->post_author;
$user = get_current_user_id(); 

if( $_GET['gform_post_id'] <= 0 || $user != $author ) {
    echo "HERE";
    nocache_headers();
    header("HTTP/1.1 302 Moved Temporarily");
    header('Location: ' . get_settings('siteurl') . '/access-denied/');
    header("Status: 302 Moved Temporarily");
    exit();
}

    The first if statement redirects to the login page if the user is not logged in.

    The second if statement redirects to an “Access Denied” page if the user is not the author of the post id passed in gform_post_id.

    Like I said there may be a better way to do this, but the above works for me.

    Hi,

    I also stumbled across this needing help with the same issue.

    I am also not so great at PHP.

    Can you let me know where to paste the code above? Is it into my functions.php or is it in the code of the plugin somewhere?

    $gform_update_post = new GFUpdatePost();

    class GFUpdatePost
{
  public $options = array(
    'request_id' => 'gform_post_id'
    ,'post_status' => 'default'
    ,'capabilities' => array(
      'update' => 'author'
      ,'delete' => 'disable'

    sorry, should of just checked the code before posting this silly question!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Gravity Forms – Update Posts circumventing Member role permissions’ is closed to new replies.