[Plugin: Gravity Forms Directory] Users can easily view and edit entries created by other users

Well that’s obviously not good or right. Thanks for reporting.

Hi Zack. Just wondering if this was addressed in the 3.3 / 3.3.1 releases? I didn’t notice it in the changelog.

We were able to work around this (at lease for the viewing portion) by modifying the lead_detail function in the gravity-forms-addons.php file and resusing the logic from the edit_lead_detail function.

The code now seems to handle the modification of the URL when viewing record details.

We inserted the following code starting at line 564 (directly before the call to extract($options). It essentially short circuits the generation of the detail screen and displays a notice to the user.

// If either of these two things are false (creator of lead, or admin)
            if(!(

                // Users can edit their own listings, they are logged in, the current user is the creator of the lead
                (!empty($options['useredit']) && is_user_logged_in() && $current_user->id === $lead['created_by']) === true || // OR

                // Administrators can edit every listing, and this person has administrator access
                (!empty($options['adminedit']) && self::has_access("gravityforms_directory")) === true)
            ) {
                // Kick them out.
                _e(sprintf('%sYou do not have permission to view this form.%s', '<div class="error">', '</div>'), 'gravity-forms-addons');
                return;
            }

Just looking at this again, the code above will require editing of posts to be enabled, which was a requirement for our client. The snippet below may be more correct:

// If either of these two things are false (creator of lead, or admin)
            if(!(

                // User is are logged in and is the creator of the lead
                (is_user_logged_in() && $current_user->id === $lead['created_by']) === true || // OR

                // this person has administrator access
                (self::has_access("gravityforms_directory")) === true)
            ) {
                // Kick them out.
                _e(sprintf('%sYou do not have permission to view this form.%s', '<div class="error">', '</div>'), 'gravity-forms-addons');
                return;
            }

And one final edit, *something* changed when our wordpress install was upgraded to the latest. I’m not sure what (and i can’t imagine this is what really broke us, but it was working the night before and confirmed by 3 testers), but we had to change the === to == for comparison operator on the user->id to $lead[‘created_by’] comparison.

(is_user_logged_in() && $current_user->id == $lead['created_by']) === true || //

Hi Zack,

I’ve gotten the edit entry to work, but I’m having a slight display issue. One of the Gravity forms I’ve created allows a coach to enter his player roster. For that, I’m using a List field with multiple columns enabled. When we got to edit one of those roster submissions, because there are multiple columns in the list, the entry table goes waaaaaaaaaaay off the page and I can’t even see the end of it. Is there a way to force the display of the entry table to be confined to the website’s content area?

Thanks! ??

Would appreciate any possible solutions as soon as you have time. Thanks!

I don’t seem to be able to stop users that are not logged in from viewing a URL link to a form entry! Help please ??