Hi there, I have set up some custom post types with custom forms but currently the edit method I have set up allows anyone with access to the site to edit any post (if they know the post ids). My question then, is how can i make it so only users that created a post can edit that post?
Hi @roger
My first question is to ask where the user is editing the post.
If the users are logging into the WP backend and editing posts via the normal wp-admin interface, then you could create a custom location rule!
A custom location rule will allow you to look at the current logged in user and compare it to the post’s author. If they match, return true, if not, return false.
This will show / hide the field group on a user basis!
You can read how to create custom location rules here:
http://www.advancedcustomfields.com/resources/tutorials/custom-location-rules/
Hi Elliot,
The user is editing the post on the front end.
I am using WP User Frontend to display the posts authored by the user using the dashboard bit of that plugin. I edited the path of the ‘edit button’ so that it opens the custom ACF form I am running for a custom post type. However I am worried that because this is based on the post_id (in the url) that users can simply change the numbers in the url to change any post they like.
Thanks for your help Elliot
Hi @roger
Thanks for the info.
Yes, I think this will be possible for your users to change the ID.
You will need to apply some custom logic to the template that shows an error instead of the form if what they are trying to edit is no what they have authored.
This seems like an issue on the part of the ACF plugin. Any user can use any form if they know the URL.
Do you know where I would start in attempting to restrict front end forms to only users who published the post they are editing?
It seems the plugin overrides the permissions of wordpress so i do not know where to begin.
Hi @roger
I would find the tempalte which is creating the form.
Then, I would wrap the form function in an if statement that compares the current user to the post’s author
Good luck
Hi @roger,
I encountered exactly the same issue, and i’ve written a logic which does the following:
-gets the current logged in user id
-in a loop, get the id’s of all posts by that user
-checks whether this specific post id is created / allowed to be edited by that user
-if allowed, nothing happens, and edit form is loaded /
-if not allowed, exit() and redirect the user
here’s my code, please place it in the page in which your frontend form resides, after your “get_header()” or “wp_head()” (can’t run the loop before that):
$user_ID = get_current_user_id();
$args = array(
'post_type' => 'your_post_type',
'posts_per_page' => -1,
'post_status' => 'any',
'author' => $user_ID
);
// The Query
$the_query = new WP_Query($args);
// The Loop
if ( $the_query->have_posts() ) {
$posts_by_user = array();
while ( $the_query->have_posts() ) {
$the_query->the_post();
$posts_by_user[] = get_the_ID();
}
} else {
//echo 'no posts found';
}
/* Restore original Post Data */
wp_reset_postdata();
// Check and redirect if needed
if (in_array($book_ID, $posts_by_user)) {
//echo "Post ID found in array";
} else {
$location = get_home_url();
$status = '302';
wp_redirect( $location, $status );
exit;
}
The code is checked and working, let me know if i can help in any other way.
