Skip to content

Commit 75af9b1

Browse files
committed
Fixed issue where unauthenticated users could not edit or delete child entries.
1 parent 60b2c19 commit 75af9b1

File tree

1 file changed

+16
-0
lines changed

1 file changed

+16
-0
lines changed

gp-nested-forms/gpnf-disable-sessions.php

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,22 @@
1515
add_action( 'wp_ajax_gpnf_session', 'gw_gpnf_disable_session', 9 );
1616
add_action( 'wp_ajax_nopriv_gpnf_session', 'gw_gpnf_disable_session', 9 );
1717
function gw_gpnf_disable_session() {
18+
1819
remove_action( 'wp_ajax_gpnf_session', array( gp_nested_forms(), 'ajax_session' ) );
1920
remove_action( 'wp_ajax_nopriv_gpnf_session', array( gp_nested_forms(), 'ajax_session' ) );
21+
22+
// Delete previous stored session, both as a convenience for users first install the snippet with existing sessions
23+
// and as a security precaution to prevent malicious users from creating artificial session cookies.
24+
$session = new GPNF_Session( rgpost( 'form_id' ) );
25+
$session->delete_cookie();
26+
2027
}
28+
29+
add_filter( 'gpnf_can_user_edit_entry', function( $can_user_edit_entry, $entry, $current_user ) {
30+
// Logged-in users can always edit their entries. Otherwise, only allow editing if the entry does not have a parent
31+
// and does not belong to a session.
32+
if ( ! $current_user && (int) gform_get_meta( $entry['id'], GPNF_Entry::ENTRY_PARENT_KEY ) === 0 ) {
33+
$can_user_edit_entry = true;
34+
}
35+
return $can_user_edit_entry;
36+
}, 10, 3 );

0 commit comments

Comments
 (0)