If I have only Forms & Types activated and the display of CRED forms is controlled via function is_user_logged_in, should I use this function inside the CRED save hooks as well in order to specifically validate for the user being logged before say updating a custom field value since Access is NOT activated?
Hello. Thank you for contacting the Toolset support.
I dont think its required as the form will be only presented when user will be logged in as you already wrapped the form to display only when user is loggedin using the function is_user_logged_in.
However, there is no harm to use and add one extra condition is_user_logged_in within the cred_save_data hook to ensure everything should work as expected. I suggest you should still add is_user_logged_in with the cred_save_data hook.
Thank you for your thoughts which actually echo my own. I do understand that from a security point of view it wouldn't do any harm to add a check in each hook however in most cases I have before_save_data, save_data and submit_complete hooks running and adding a check in each one will add to the run time for form submissions. I'd prefer to do it if there's a need rather than because it won't do any harm.
Would you be good enough please to ask the developers whether any vulnerabilities exist if a check isn't made inside the hooks?
There will be no vulnerabilities but still we prefer and suggest to add another check with your hooks to make sure it will run only when needed and when people are loggedin and to ensure the code should run on correct conditions.
