/**
* Check if the user can edit the entry
*
* - Is the nonce valid?
* - Does the user have the right caps for the entry
* - Is the entry in the trash?
*
* @todo Move to GVCommon
*
* @param boolean $echo Show error messages in the form?
* @return boolean True: can edit form. False: nope.
*/
function user_can_edit_entry($echo = false)
{
$error = NULL;
/**
* 1. Permalinks are turned off
* 2. There are two entries embedded using oEmbed
* 3. One of the entries has just been saved
*/
if (!empty($_POST['lid']) && !empty($_GET['entry']) && $_POST['lid'] !== $_GET['entry']) {
$error = true;
}
if (!empty($_GET['entry']) && (string) $this->entry['id'] !== $_GET['entry']) {
$error = true;
} elseif (!$this->verify_nonce()) {
/**
* If the Entry is embedded, there may be two entries on the same page.
* If that's the case, and one is being edited, the other should fail gracefully and not display an error.
*/
if (GravityView_oEmbed::getInstance()->get_entry_id()) {
$error = true;
} else {
$error = __('The link to edit this entry is not valid; it may have expired.', 'gravityview');
}
}
if (!GravityView_Edit_Entry::check_user_cap_edit_entry($this->entry)) {
$error = __('You do not have permission to edit this entry.', 'gravityview');
}
if ($this->entry['status'] === 'trash') {
$error = __('You cannot edit the entry; it is in the trash.', 'gravityview');
}
// No errors; everything's fine here!
if (empty($error)) {
return true;
}
if ($echo && $error !== true) {
$error = esc_html($error);
/**
* @since 1.9
*/
if (!empty($this->entry)) {
$error .= ' ' . gravityview_get_link('#', _x('Go back.', 'Link shown when invalid Edit Entry link is clicked', 'gravityview'), array('onclick' => "window.history.go(-1); return false;"));
}
echo GVCommon::generate_notice(wpautop($error), 'gv-error error');
}
do_action('gravityview_log_error', 'GravityView_Edit_Entry[user_can_edit_entry]' . $error);
return false;
}
/**
* @param array $atts {
* @type string $view_id Define the ID for the View where the entry will
* @type string $entry_id ID of the entry to edit. If undefined, uses the current entry ID
* @type string $post_id ID of the base post or page to use for an embedded View
* @type string $link_atts Whether to open Edit Entry link in a new window or the same window
* @type string $return What should the shortcode return: link HTML (`html`) or the URL (`url`). Default: `html`
* @type string $field_values Parameters to pass in to the Edit Entry form to prefill data. Uses the same format as Gravity Forms "Allow field to be populated dynamically" {@see https://www.gravityhelp.com/documentation/article/allow-field-to-be-populated-dynamically/ }
* }
* @param string $content
* @param string $context
*
* @return string|void
*/
public function shortcode($atts = array(), $content = '', $context = 'gv_edit_entry')
{
// Make sure GV is loaded
if (!class_exists('GravityView_frontend') || !class_exists('GravityView_View')) {
return null;
}
$defaults = array('view_id' => 0, 'entry_id' => 0, 'post_id' => 0, 'link_atts' => '', 'return' => 'html', 'field_values' => '');
$settings = shortcode_atts($defaults, $atts, $context);
if (empty($settings['view_id'])) {
$view_id = GravityView_View::getInstance()->getViewId();
} else {
$view_id = absint($settings['view_id']);
}
if (empty($view_id)) {
do_action('gravityview_log_debug', __METHOD__ . ' A View ID was not defined');
return null;
}
$post_id = empty($settings['post_id']) ? $view_id : absint($settings['post_id']);
$form_id = gravityview_get_form_id($view_id);
$backup_entry_id = GravityView_frontend::getInstance()->getSingleEntry() ? GravityView_frontend::getInstance()->getSingleEntry() : GravityView_View::getInstance()->getCurrentEntry();
$entry_id = empty($settings['entry_id']) ? $backup_entry_id : absint($settings['entry_id']);
if (empty($entry_id)) {
do_action('gravityview_log_debug', __METHOD__ . ' No entry defined');
return null;
}
// By default, show only current user
$user = wp_get_current_user();
if (!$user) {
do_action('gravityview_log_debug', __METHOD__ . ' No user defined; edit entry requires logged in user');
return null;
}
$entry = $this->get_entry($entry_id, $form_id);
// No search results
if (false === $entry) {
do_action('gravityview_log_debug', __METHOD__ . ' No entries match the entry ID defined', $entry_id);
return null;
}
// Check permissions
if (false === GravityView_Edit_Entry::check_user_cap_edit_entry($entry, $view_id)) {
do_action('gravityview_log_debug', __METHOD__ . ' User does not have the capability to edit this entry: ' . $entry_id);
return null;
}
$href = GravityView_Delete_Entry::get_delete_link($entry, $view_id, $post_id, $settings);
// Get just the URL, not the tag
if ('url' === $settings['return']) {
return $href;
}
$link_text = empty($content) ? __('Delete Entry', 'gravityview') : $content;
return gravityview_get_link($href, $link_text, $settings['link_atts']);
}
/**
* Check whether the user has the capability to see the shortcode output, depending on the action ('read', 'edit', 'delete')
*
* @since 1.15
* @return bool True: has cap.
*/
private function has_cap()
{
switch ($this->settings['action']) {
case 'edit':
$has_cap = GravityView_Edit_Entry::check_user_cap_edit_entry($this->entry, $this->view_id);
break;
case 'delete':
$has_cap = GravityView_Delete_Entry::check_user_cap_delete_entry($this->entry, array(), $this->view_id);
break;
case 'read':
default:
$has_cap = true;
// TODO: add cap check for read_gravityview
}
return $has_cap;
}
/**
* Test Caps & Permissions always being able to edit
*
* @param $entry
* @param $view_user_edit_enabled
*/
public function _add_and_remove_caps_test($entry, $view_user_edit_enabled)
{
$user = $this->factory->user->create_and_set(array('role' => 'zero'));
$current_user = wp_get_current_user();
$this->assertEquals($user->ID, $current_user->ID);
$full_access = array('gravityview_full_access', 'gform_full_access', 'gravityview_edit_others_entries');
foreach ($full_access as $cap) {
$user->remove_all_caps();
// Can't edit now
$this->assertFalse(current_user_can($cap), $cap);
$this->assertFalse(GravityView_Edit_Entry::check_user_cap_edit_entry($entry, $view_user_edit_enabled->ID), $cap);
$user->add_cap($cap);
// Can edit now
$this->assertTrue(current_user_can($cap), $cap);
$this->assertTrue(GravityView_Edit_Entry::check_user_cap_edit_entry($entry, $view_user_edit_enabled->ID), $cap);
}
}
<?php
$gravityview_view = GravityView_View::getInstance();
$view_id = $gravityview_view->getViewId();
extract($gravityview_view->getCurrentField());
// Only show the link to logged-in users.
if (!GravityView_Edit_Entry::check_user_cap_edit_entry($entry)) {
return;
}
$link_text = empty($field_settings['edit_link']) ? __('Edit Entry', 'gravityview') : $field_settings['edit_link'];
$link_atts = empty($field_settings['new_window']) ? '' : 'target="_blank"';
$output = apply_filters('gravityview_entry_link', GravityView_API::replace_variables($link_text, $form, $entry));
$href = GravityView_Edit_Entry::get_edit_link($entry, $view_id);
echo gravityview_get_link($href, $output, $link_atts);
