Skip Navigation

Using Toolset Forms without Toolset Access

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

This topic contains 3 replies, has 2 voices.

Last updated by Minesh 8 months, 1 week ago.

Assigned support staff: Minesh.

Author
Posts
#2269157

If I have only Forms & Types activated and the display of CRED forms is controlled via function is_user_logged_in, should I use this function inside the CRED save hooks as well in order to specifically validate for the user being logged before say updating a custom field value since Access is NOT activated?

Thanks

#2269361

Minesh
Supporter

Languages: English (English )

Timezone: Asia/Kolkata (GMT+05:30)

Hello. Thank you for contacting the Toolset support.

I dont think its required as the form will be only presented when user will be logged in as you already wrapped the form to display only when user is loggedin using the function is_user_logged_in.

However, there is no harm to use and add one extra condition is_user_logged_in within the cred_save_data hook to ensure everything should work as expected. I suggest you should still add is_user_logged_in with the cred_save_data hook.

#2270053

Hi Minesh

Thank you for your thoughts which actually echo my own. I do understand that from a security point of view it wouldn't do any harm to add a check in each hook however in most cases I have before_save_data, save_data and submit_complete hooks running and adding a check in each one will add to the run time for form submissions. I'd prefer to do it if there's a need rather than because it won't do any harm.

Would you be good enough please to ask the developers whether any vulnerabilities exist if a check isn't made inside the hooks?

Many thanks

#2270073

Minesh
Supporter

Languages: English (English )

Timezone: Asia/Kolkata (GMT+05:30)

There will be no vulnerabilities but still we prefer and suggest to add another check with your hooks to make sure it will run only when needed and when people are loggedin and to ensure the code should run on correct conditions.