[Résolu] Using Toolset Forms without Toolset Access
This support ticket is created Il y a 2 années et 10 mois. There's a good chance that you are reading advice that it now obsolete.
This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.
Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.
Aucun de nos assistants n'est disponible aujourd'hui sur le forum Jeu d'outils. Veuillez créer un ticket, et nous nous le traiterons dès notre prochaine connexion. Merci de votre compréhension.
If I have only Forms & Types activated and the display of CRED forms is controlled via function is_user_logged_in, should I use this function inside the CRED save hooks as well in order to specifically validate for the user being logged before say updating a custom field value since Access is NOT activated?
Hello. Thank you for contacting the Toolset support.
I dont think its required as the form will be only presented when user will be logged in as you already wrapped the form to display only when user is loggedin using the function is_user_logged_in.
However, there is no harm to use and add one extra condition is_user_logged_in within the cred_save_data hook to ensure everything should work as expected. I suggest you should still add is_user_logged_in with the cred_save_data hook.
Thank you for your thoughts which actually echo my own. I do understand that from a security point of view it wouldn't do any harm to add a check in each hook however in most cases I have before_save_data, save_data and submit_complete hooks running and adding a check in each one will add to the run time for form submissions. I'd prefer to do it if there's a need rather than because it won't do any harm.
Would you be good enough please to ask the developers whether any vulnerabilities exist if a check isn't made inside the hooks?
There will be no vulnerabilities but still we prefer and suggest to add another check with your hooks to make sure it will run only when needed and when people are loggedin and to ensure the code should run on correct conditions.