This seems like an issue on the part of the ACF plugin. Any user can use any form if they know the URL.
Do you know where I would start in attempting to restrict front end forms to only users who published the post they are editing?
It seems the plugin overrides the permissions of wordpress so i do not know where to begin.
Hi Elliot,
The user is editing the post on the front end.
I am using WP User Frontend to display the posts authored by the user using the dashboard bit of that plugin. I edited the path of the ‘edit button’ so that it opens the custom ACF form I am running for a custom post type. However I am worried that because this is based on the post_id (in the url) that users can simply change the numbers in the url to change any post they like.
Thanks for your help Elliot
