Skip Navigation

[Resolved] Restrictions on child posting

This support ticket is created 6 years, 6 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 -
- 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 -

Supporter timezone: Asia/Hong_Kong (GMT+08:00)

Author
Posts
#882878

I am trying to:

I use a CRED form to create a site that allows external users to subscribe to members and create unique projects.

From the My Account page, I made it so that members who are child postings included in each user's project can be registered.

Projects are user specific, members can only register the project owner, others can not register as a member.

However, when submitting a child, I noticed that just by changing the parent id of url, I can register members of other projects.

I do not want to register members except project owners. I am looking for ways to check parent's ownership when submitting a child.

Is there any way?

#886386

Hello,

I suggest you try these:
1) Create a view list "Projects" posts, filter by post author is the specific users(current login user)
https://toolset.com/documentation/user-guides/filtering-views-query-by-author/

in the view's loop section, display a link for creating child post, so when user click the link, it will pass URL parameter to target page and CRED form, he will see below CRED form with parent selector, which is setup with default value by the URL parameter.

2) In the CRED form for creating "child postings", and you can use CSS codes to hide the parent selector.

#888109
sample2.jpg
sample1.jpg

I will go to the child's post from the loop section created by view. Change the parent ID of that child submission page in the URL column.

You can register as a member to a project that I do not own.

I do not do it with normal operation, but I am worried that a malicious person came to my site. Please tell me something good.

#891179

Above solution works in the client side, You can validate the user's input in server side too, for example when user submits the CRED form, you can use CRED filter hook "cred_form_validate" to trigger a PHP function, in this function check if the user is submitting the correct data:
check parent's ownership

See our document:
https://toolset.com/documentation/programmer-reference/cred-api/#cred_form_validate
This hook provides custom validation for form fields

#891890

I succeeded in the way I was taught. Thank you for your advise!