Users can view and edit entries by other users

  • Resolved andytela

    (@andymoonshine)


    10 years, 9 months ago

    I came across this problem and noticed it had been mentioned here
    https://www.ads-software.com/support/topic/plugin-gravity-forms-directory-users-can-easily-view-and-edit-entries-created-by-other-users but the topic is now closed

    If anyone is interested I utilised turtletnt‘s idea but changed it so as not to change the plugin in case it was updated

    I’m sure someone can clean it up but it works for me & hopefully it might help someone else

    To stop someone editing an entry

    // -----------------------------------------------------------
// Block user from editing someone else's form
// -----------------------------------------------------------

add_filter('gform_pre_render_2', 'check_userform_access');
add_filter('gform_admin_pre_render_2', 'check_userform_access');
function check_userform_access($form){
	global $current_user;

	$form_meta = RGFormsModel::get_leads($form['id']);

	$url = "https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
	$r = parse_url($url);
	$entry_id = end((explode('/', rtrim($r['path'], '/'))));
	if(is_numeric($entry_id)){

		foreach ($form_meta as $data) {
			if($data['id']==$entry_id && $data['created_by']==$current_user->id){
				$lead = $data['created_by'];
				break;
			}
		}
		if(!(
		    // User is are logged in and is the creator of the lead
		    (is_user_logged_in() && $current_user->id == $lead) === true || // OR
		    // this person has administrator access
		    current_user_can( 'manage_options' ))
		) {
		    // Kick them out.
		    _e(sprintf('%sYou do not have permission to edit this form.%s', '<div class="error">', '</div>'), 'gravity-forms-addons');
		    return;
		}
	}
    return $form;
}

    And to block entries being viewed

    // -----------------------------------------------------------
// Block user from viewing someone else's form
// -----------------------------------------------------------

add_filter( 'the_content', 'checkForDirectory' );
function checkForDirectory($content){

	global $current_user;

	$url = "https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
	$r = parse_url($url);
	$url_arr = explode('/', rtrim($r['path'], '/'));
	$entry_id = $url_arr[count($url_arr)-1];
	$form_id = $url_arr[count($url_arr)-2];

	$form_meta = RGFormsModel::get_leads($form_id);

	if (strpos($content,'[directory form') !== false && is_numeric($entry_id)) {
		foreach ($form_meta as $data) {
			if($data['id']==$entry_id && $data['created_by']==$current_user->id){
				$lead = $data['created_by'];
				break;
			}
		}

		if(!(
		    // User is are logged in and is the creator of the lead
		    (is_user_logged_in() && $current_user->id == $lead) === true || // OR
		    // this person has administrator access
		    current_user_can( 'manage_options' ))
		) {
		    // Kick them out.
		    _e(sprintf('%sYou do not have permission to view this form.%s', '<div class="error">', '</div>'), 'gravity-forms-addons');
		    return;
		}

	}
	return $content;
}

    Cheers
    Andy

    https://www.ads-software.com/plugins/gravity-forms-addons/

Viewing 5 replies - 1 through 5 (of 5 total)

  • Andy,

    Thanks for these functions. I happened to notice this issue when testing my setup and your work has fixed this security hole.

    Thanks again!

    this looks good but I don’t know where to put it?
    can you shed some light?

    Thread Starter andytela

    (@andymoonshine)

    Hi

    Just paste both pieces into your functions.php file

    Cheers
    Andy

    Plugin Author Zack Katz

    (@katzwebdesign)

    Is this still an issue using the latest version of the plugin? If so, can someone please provide a link (or email [email protected] with a link)?

    Thread Starter andytela

    (@andymoonshine)

    Hi

    I was using 3.5.4 & have just upgraded to 3.5.4.3 to test
    I commented out the scripts from above and the problem is still there even if the user isn’t logged in at all, i.e.
    https://domain.com/entry/7/70/
    Can be seen by everyone
    If you’re not logged in you can’t edit it, but if you are logged in, irrelevant of who it is you can edit it

    Unfortunately I can’t supply a link as it’s still being developed on a local environment
    Let me know if you need anymore details

    Cheers
    Andy

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Users can view and edit entries by other users’ is closed to new replies.