Support

Account

Home Forums Backend Issues (wp-admin) Location rule / user

Solving

Location rule / user

  • Hello i have question related to location rule. If i set location rule – current user role = administrator and user role = ‘some_user_role’, is there any validation if user with role ‘some_user_role’ try to manipulate POST request and update fields which only administrator can see?

  • No, but since the can’t see them then they shouldn’t be available for manipulation on any page in the admin so they should not be able to. Or at least that is what should be happening. Are you seeing a way for someone to manipulate field data they shouldn’t be?

  • Sorry for late response. If i sell my products on market like TF everyone can see source code. So if someone just add field with right name acf will update it.

    Example:
    We have field ‘test_field’ and location rules user_role: administrator and post type: post. So now user with editor role add for example
    <input type="hidden" name="test_field" value="test">
    Press update/publish post and acf will update this field.

    Looks like ill have to check everything by myself and location rules for user role is just ‘visual’.

  • Not exactly, the field name is not used by ACF, the field key is. Yes, I suppose that someone would be able to add something like:

    
    <input type="hidden" name="acf['field_1234567890']" value="test">
    

    I guess what you have to ask yourself is, who’s going to be using your theme and will there be people using it that want to hack values that are part of the site.

    I have not tested the ability to do this… and I’m not the developer. You may have a valid concern and you might what to consider submitting a support ticket https://support.advancedcustomfields.com/new-ticket/ and bring your concern up.

    I actually have a plugin https://github.com/Hube2/acf-user-role-field-setting/ and I’m going to look at adding a security check to this plugin to add a check for submitted values to see if the user is allowed to modify a field.

    update: I have added this security feature to the user role field setting plugin.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.