Okay
  Public Ticket #2990167
How to prevent events being edited by anyone?
Closed

Comments

  •  2
    publicspace started the conversation

    Hi.

    This small problem is preventing us going live.  The events look great, but anyone can edit them from the front-end. 

    I first set up the single calendar so that a logged-in user can edit their event from the front-end.  Then changed it to Author, and then to Administrator only.

    Each time, the edit icon remains visible, even when not logged in, even in a different browser, and even on a different computer.  

    It therefore enables anyone to edit every event. 

    (This is not a cache problem - I have disabled and cleared every cache.)

    Can the plugin enable only the logged in author of an event can edit it?  It will be excellent if that is possible.

    If not, I just need a way to prevent anyone editing every event!

    Hope you can help. 

    Thank you.

  •  894
    Zhivko replied

    Try setting the Calendar's "Back-End Visibility" to "Just Me". This equals to 'private'.

    As a last resort you could overwrite the permission via a filter:

    // Allow the admin and event's author to edit
    add_filter('stec_user_can_edit_event', function ($default, $event) {
        // super admin can do whatever he wants...
        if (is_super_admin()) {
            return true;
        }     // true if user is author of this event | false otherwise
        return $event->get_author() === get_current_user_id(); }, 10, 2);



    Stachethemes Developer

  •  2
    publicspace replied

    Thank you.  I have used the code you supplied below, and it now seems correctly to restrict editing to Admin and the Author of the event. 

    However, it is not possible to edit an event because the form demands that you select which Calendar, but without providing any option to select.  (In this case there is only one calendar.)  I attach two screenshots to show you. 

    (To check this was not a problem that I introduced, I removed all my CSS, and restored the original default-submit-form.php file, and the problem is still there.) 

    Is this a problem you recognise and can solve?  I would like to remove the calendar option, and simply select the one calendar.  Thank you.

  •  894
    Zhivko replied

    Make sure in Add/Edit Calendar page "Who can add events from the front-end" has valid value.


    Stachethemes Developer

  •  2
    publicspace replied

    Hi Zhivko

    Thank you.  I see I had set it to Administrator, when trying to deal with the previous challenge.  Apologies. So now it is set to 'logged in users'.  So the editor works. 

    However a final problem is that the editor does not show the existing 'Short description'.  I have tested this with the original 'default-submit-form', and it is the same.  Again, is there something you know that will be causing this?  (If I leave it blank, the existing Short description remains after submitting the edit.)

  •  894
    Zhivko replied

    I've made a typo in the submit form. Really sorry for this.

    Fix:

    1) Open file stachethemes_event_calendar \ view \ front \ forms \ default-submit-form.php

    2) Edit line 24 from:

     printf('<div class="stec-builder-element"><input class="stec-builder-element-content-input-style" name="short_desc" placeholder="%s" %s /></div>', esc_html__('Short Description', 'stec'), '');

    to:

    printf('<div class="stec-builder-element"><input class="stec-builder-element-content-input-style" name="description_short" placeholder="%s" %s /></div>', esc_html__('Short Description', 'stec'), '');

    Basically the input name is wrong. It should be "description_short" and not "short_desc"...


    Stachethemes Developer

  •   publicspace replied privately
  •  2
    publicspace replied

    Hi Zhivko - We are nearly there. 

    It is a great feature of Stachethemes Calendar that users can submit posts, AND they can view and edit their own posts before they are approved and published. That is a huge time-saver for Admin, because people often want to change something after viewing their new event post.  So thank you again for the code on Feb 25th below. 

    However, I realise it isn't secure yet, because subscriber users can re-edit their events after the event is approved and published.

    So is it possible to adjust that code to follow the usual WordPress capabilities?  Here is the php logic, but I don't know how to do the code for Stachethemes:  

    • if can edit_others_posts  OR
    • if it is the event author AND if can edit_posts  OR
    • if it is the event author AND if the event is not published 
    • then can edit the event post
    • else  cannot edit the event.

    I really hope that is possible.  Otherwise we will have to disable editing for security. 

    Thank you.!

  •  894
    Zhivko replied

    Try this one:

    add_filter('stec_user_can_edit_event', function ($default, $event) {
        // super can do whatever he wants
        if (is_super_admin()) {
            return true;
        }     $current_user_id = get_current_user_id();     // FALSE if not logged in
        if (0 === $current_user_id) {
            return false;
        }     // TRUE if can edit_others_posts
        if (true === current_user_can('edit_others_posts')) {
            return true;
        }     // TRUE if user is author and can edit_posts and event is not yet approved
        if (         $event->get_author() === $current_user_id &&         current_user_can('edit_posts') &&         0 === $event->get_approved()     ) {
            return true;
        }     // FALSE otherwise
        return false; }, 10, 2);

    Stachethemes Developer

  •  2
    publicspace replied

    Zhivko - Thank you. 

    The code snippet you sent is what we needed to make the editing of our Stachethemes events both flexible and secure.

    I have tested it, and it enables front-end editing by users as follows: 

    • WP Editors and Admin - can edit all published and unpublished events.
    • WP Authors - can edit their own published and unpublished events.
    • WP Subscribers + Contributors - can edit their own events but only before they are approved and published. 

    I slightly adapted the code to differentiate Authors and Subscribers. So in case it is useful to others, I include it below.

    Thank you again.

    add_filter('stec_user_can_edit_event', function ($default, $event) {
        
        $current_user_id = get_current_user_id();
        // FALSE if not logged in
        if (0 === $current_user_id) {
            return false;
        }
        // TRUE if can edit_others_posts - WP Admin and Editor roles 
        if (true === current_user_can('edit_others_posts')) {
            return true;
        }
        // TRUE if is event-author and can publish_posts - WP Author role
        if ($event--->get_author() === $current_user_id &&
            current_user_can('publish_posts') ) {
            return true;
        }
        // TRUE if is event-author and event not yet approved - WP Subscriber role
        if ($event->get_author() === $current_user_id &&
            0 === $event->get_approved() ) {
            return true;
        }
        // FALSE otherwise
        return false;
    }, 10, 2);