/** * Check if the user can edit the entry * * - Is the nonce valid? * - Does the user have the right caps for the entry * - Is the entry in the trash? * * @todo Move to GVCommon * * @param boolean $echo Show error messages in the form? * @return boolean True: can edit form. False: nope. */ function user_can_edit_entry($echo = false) { $error = NULL; /** * 1. Permalinks are turned off * 2. There are two entries embedded using oEmbed * 3. One of the entries has just been saved */ if (!empty($_POST['lid']) && !empty($_GET['entry']) && $_POST['lid'] !== $_GET['entry']) { $error = true; } if (!empty($_GET['entry']) && (string) $this->entry['id'] !== $_GET['entry']) { $error = true; } elseif (!$this->verify_nonce()) { /** * If the Entry is embedded, there may be two entries on the same page. * If that's the case, and one is being edited, the other should fail gracefully and not display an error. */ if (GravityView_oEmbed::getInstance()->get_entry_id()) { $error = true; } else { $error = __('The link to edit this entry is not valid; it may have expired.', 'gravityview'); } } if (!GravityView_Edit_Entry::check_user_cap_edit_entry($this->entry)) { $error = __('You do not have permission to edit this entry.', 'gravityview'); } if ($this->entry['status'] === 'trash') { $error = __('You cannot edit the entry; it is in the trash.', 'gravityview'); } // No errors; everything's fine here! if (empty($error)) { return true; } if ($echo && $error !== true) { $error = esc_html($error); /** * @since 1.9 */ if (!empty($this->entry)) { $error .= ' ' . gravityview_get_link('#', _x('Go back.', 'Link shown when invalid Edit Entry link is clicked', 'gravityview'), array('onclick' => "window.history.go(-1); return false;")); } echo GVCommon::generate_notice(wpautop($error), 'gv-error error'); } do_action('gravityview_log_error', 'GravityView_Edit_Entry[user_can_edit_entry]' . $error); return false; }
/** * @param array $atts { * @type string $view_id Define the ID for the View where the entry will * @type string $entry_id ID of the entry to edit. If undefined, uses the current entry ID * @type string $post_id ID of the base post or page to use for an embedded View * @type string $link_atts Whether to open Edit Entry link in a new window or the same window * @type string $return What should the shortcode return: link HTML (`html`) or the URL (`url`). Default: `html` * @type string $field_values Parameters to pass in to the Edit Entry form to prefill data. Uses the same format as Gravity Forms "Allow field to be populated dynamically" {@see https://www.gravityhelp.com/documentation/article/allow-field-to-be-populated-dynamically/ } * } * @param string $content * @param string $context * * @return string|void */ public function shortcode($atts = array(), $content = '', $context = 'gv_edit_entry') { // Make sure GV is loaded if (!class_exists('GravityView_frontend') || !class_exists('GravityView_View')) { return null; } $defaults = array('view_id' => 0, 'entry_id' => 0, 'post_id' => 0, 'link_atts' => '', 'return' => 'html', 'field_values' => ''); $settings = shortcode_atts($defaults, $atts, $context); if (empty($settings['view_id'])) { $view_id = GravityView_View::getInstance()->getViewId(); } else { $view_id = absint($settings['view_id']); } if (empty($view_id)) { do_action('gravityview_log_debug', __METHOD__ . ' A View ID was not defined'); return null; } $post_id = empty($settings['post_id']) ? $view_id : absint($settings['post_id']); $form_id = gravityview_get_form_id($view_id); $backup_entry_id = GravityView_frontend::getInstance()->getSingleEntry() ? GravityView_frontend::getInstance()->getSingleEntry() : GravityView_View::getInstance()->getCurrentEntry(); $entry_id = empty($settings['entry_id']) ? $backup_entry_id : absint($settings['entry_id']); if (empty($entry_id)) { do_action('gravityview_log_debug', __METHOD__ . ' No entry defined'); return null; } // By default, show only current user $user = wp_get_current_user(); if (!$user) { do_action('gravityview_log_debug', __METHOD__ . ' No user defined; edit entry requires logged in user'); return null; } $entry = $this->get_entry($entry_id, $form_id); // No search results if (false === $entry) { do_action('gravityview_log_debug', __METHOD__ . ' No entries match the entry ID defined', $entry_id); return null; } // Check permissions if (false === GravityView_Edit_Entry::check_user_cap_edit_entry($entry, $view_id)) { do_action('gravityview_log_debug', __METHOD__ . ' User does not have the capability to edit this entry: ' . $entry_id); return null; } $href = GravityView_Delete_Entry::get_delete_link($entry, $view_id, $post_id, $settings); // Get just the URL, not the tag if ('url' === $settings['return']) { return $href; } $link_text = empty($content) ? __('Delete Entry', 'gravityview') : $content; return gravityview_get_link($href, $link_text, $settings['link_atts']); }
/** * Check whether the user has the capability to see the shortcode output, depending on the action ('read', 'edit', 'delete') * * @since 1.15 * @return bool True: has cap. */ private function has_cap() { switch ($this->settings['action']) { case 'edit': $has_cap = GravityView_Edit_Entry::check_user_cap_edit_entry($this->entry, $this->view_id); break; case 'delete': $has_cap = GravityView_Delete_Entry::check_user_cap_delete_entry($this->entry, array(), $this->view_id); break; case 'read': default: $has_cap = true; // TODO: add cap check for read_gravityview } return $has_cap; }
/** * Test Caps & Permissions always being able to edit * * @param $entry * @param $view_user_edit_enabled */ public function _add_and_remove_caps_test($entry, $view_user_edit_enabled) { $user = $this->factory->user->create_and_set(array('role' => 'zero')); $current_user = wp_get_current_user(); $this->assertEquals($user->ID, $current_user->ID); $full_access = array('gravityview_full_access', 'gform_full_access', 'gravityview_edit_others_entries'); foreach ($full_access as $cap) { $user->remove_all_caps(); // Can't edit now $this->assertFalse(current_user_can($cap), $cap); $this->assertFalse(GravityView_Edit_Entry::check_user_cap_edit_entry($entry, $view_user_edit_enabled->ID), $cap); $user->add_cap($cap); // Can edit now $this->assertTrue(current_user_can($cap), $cap); $this->assertTrue(GravityView_Edit_Entry::check_user_cap_edit_entry($entry, $view_user_edit_enabled->ID), $cap); } }
<?php $gravityview_view = GravityView_View::getInstance(); $view_id = $gravityview_view->getViewId(); extract($gravityview_view->getCurrentField()); // Only show the link to logged-in users. if (!GravityView_Edit_Entry::check_user_cap_edit_entry($entry)) { return; } $link_text = empty($field_settings['edit_link']) ? __('Edit Entry', 'gravityview') : $field_settings['edit_link']; $link_atts = empty($field_settings['new_window']) ? '' : 'target="_blank"'; $output = apply_filters('gravityview_entry_link', GravityView_API::replace_variables($link_text, $form, $entry)); $href = GravityView_Edit_Entry::get_edit_link($entry, $view_id); echo gravityview_get_link($href, $output, $link_atts);