Based on the screenshot that you've sent it would appear that you're editing the Child post where the currently logged in user isn't the author of the parent post.
This is why it is showing there because the parent ID in the url will autoselect the post from the relationship field. What should now happen is if the user searchers for the parent in the parent field it should only give you the posts where the current user is the author.
Thank for going into it. You are describing the functionality I exposed as an issue.
So to I implement the business rule "the form only alow to create the post with the author selected in the field". I restrict that field in the form and the user can only select it.
But if the user goes to URL with a preselected user and then submit the form, he will create the post breaking the business rule, like happened here hidden link (can create for Alexander owner when Alexander is not logged in the system)
So the functionality you exposed I see as an issue
I would expect that the form unselect that selection (by URL) because this selection is not allower by the form
Actually no because you are providing the field with the ID in the URL it will select the parent based on the ID that was being provided.
The functionality of the field such where you've set the field to only show post from the current author only works when the user is searching the field, not when the ID has been added in the URL.
I would expect that the form unselect that selection (by URL) because this selection is not allower by the form
No because the functionality of the field wasn't written to take this into consideration. In order for this to be improved I would need to open a ticket with our development team to improve this but this improvement wouldn't be added immediately but would first need to be approved which can take quite some time to do.
Thanks, I understand that an issue takes time to solve
Sure, taking this into consideration would fix the issue because it not the functionality of the form does not work because you can always select whatever you want by url
I think that this is a bug that affects all toolset clients. A user can create content for a parent that it does not belong to, so with the bug out there, it's easy to hack a toolset site in terms of related content
Is there any workaround to fix it easily? I tried to play with the fields of cred_field, for example, value='', but nothing change, and always select the URL parent
Would you be able to share here the ticket with the development team if it is external or a way to follow up on the fix of this bug?
We have a workaround for this using our Forms Validation Hook. Here is the hook below.
/**
* Custom form validation
*/
function tssupp_form_validation($error_fields, $form_data)
{
if (in_array($form_data['id'], array(123))) { // Edit form ID(s)
//split error fields into separate arrays
list($fields, $errors) = $error_fields;
$current_user_id = get_current_user_id();
global $_POST;
$parent_post_id = $_POST['@relationship-slug.parent']; // Edit slug
$parent_post = get_post( $parent_post_id );
if ( $parent_post->post_author != $current_user_id ){
$errors['@relationship-slug.parent'] = "Please connect to another post"; // Edit slug
}
$error_fields = array($fields, $errors);
}
return $error_fields;
}
add_filter('cred_form_validate', 'tssupp_form_validation', 10, 2);
What this hook does is that it checks if the user is the author of the parent post being passed in the URL, If the user is the Author then the form will pass, if not then the form will not validate.
Now in order for this to work you will need to replace the "123" with the ID of your form and then replace the "@relationship-slug.parent" wit the slug that is being added in the relationship slug in your Post Relationship. So the format would be "@{relationship_slug}.parent"
You can add this hook to your Toolset custom code settings in Toolset->Settings->Custom Code and then activate it.
