This small problem is preventing us going live. The events look great, but anyone can edit them from the front-end.
I first set up the single calendar so that a logged-in user can edit their event from the front-end. Then changed it to Author, and then to Administrator only.
Each time, the edit icon remains visible, even when not logged in, even in a different browser, and even on a different computer.
It therefore enables anyone to edit every event.
(This is not a cache problem - I have disabled and cleared every cache.)
Can the plugin enable only the logged in author of an event can edit it? It will be excellent if that is possible.
If not, I just need a way to prevent anyone editing every event!
Try setting the Calendar's "Back-End Visibility" to "Just Me". This equals to 'private'.
As a last resort you could overwrite the permission via a filter:
// Allow the admin and event's author to edit
add_filter('stec_user_can_edit_event', function ($default, $event) {
// super admin can do whatever he wants... if (is_super_admin()) { return true; }
// true if user is author of this event | false otherwise return $event->get_author() === get_current_user_id();
}, 10, 2);
Thank you. I have used the code you supplied below, and it now seems correctly to restrict editing to Admin and the Author of the event.
However, it is not possible to edit an event because the form demands that you select which Calendar, but without providing any option to select. (In this case there is only one calendar.) I attach two screenshots to show you.
(To check this was not a problem that I introduced, I removed all my CSS, and restored the original default-submit-form.php file, and the problem is still there.)
Is this a problem you recognise and can solve? I would like to remove the calendar option, and simply select the one calendar. Thank you.
Thank you. I see I had set it to Administrator, when trying to deal with the previous challenge. Apologies. So now it is set to 'logged in users'. So the editor works.
However a final problem is that the editor does not show the existing 'Short description'. I have tested this with the original 'default-submit-form', and it is the same. Again, is there something you know that will be causing this? (If I leave it blank, the existing Short description remains after submitting the edit.)
It is a great feature of Stachethemes Calendar that users can submit posts, AND they can view and edit their own posts before they are approved and published. That is a huge time-saver for Admin, because people often want to change something after viewing their new event post. So thank you again for the code on Feb 25th below.
However, I realise it isn't secure yet, because subscriber users can re-edit their events after the event is approved and published.
So is it possible to adjust that code to follow the usual WordPress capabilities? Here is the php logic, but I don't know how to do the code for Stachethemes:
if can edit_others_posts OR
if it is the event author AND if can edit_posts OR
if it is the event author AND if the event is not published
then can edit the event post
else cannot edit the event.
I really hope that is possible. Otherwise we will have to disable editing for security.
add_filter('stec_user_can_edit_event', function ($default, $event) {
// super can do whatever he wants if (is_super_admin()) { return true; }
$current_user_id = get_current_user_id();
// FALSE if not logged in if (0 === $current_user_id) { return false; }
// TRUE if can edit_others_posts if (true === current_user_can('edit_others_posts')) { return true; }
// TRUE if user is author and can edit_posts and event is not yet approved if (
$event->get_author() === $current_user_id &&
current_user_can('edit_posts') &&
0 === $event->get_approved()
) { return true; }
// FALSE otherwise return false;
}, 10, 2);
The code snippet you sent is what we needed to make the editing of our Stachethemes events both flexible and secure.
I have tested it, and it enables front-end editing by users as follows:
WP Editors and Admin - can edit all published and unpublished events.
WP Authors - can edit their own published and unpublished events.
WP Subscribers + Contributors - can edit their own events but only before they are approved and published.
I slightly adapted the code to differentiate Authors and Subscribers. So in case it is useful to others, I include it below.
Thank you again.
add_filter('stec_user_can_edit_event', function ($default, $event) {
$current_user_id = get_current_user_id();
// FALSE if not logged in
if (0 === $current_user_id) {
return false;
}
// TRUE if can edit_others_posts - WP Admin and Editor roles
if (true === current_user_can('edit_others_posts')) {
return true;
}
// TRUE if is event-author and can publish_posts - WP Author role
if ($event--->get_author() === $current_user_id &&
current_user_can('publish_posts') ) {
return true;
}
// TRUE if is event-author and event not yet approved - WP Subscriber role
if ($event->get_author() === $current_user_id &&
0 === $event->get_approved() ) {
return true;
}
// FALSE otherwise
return false;
}, 10, 2);
Hi.
This small problem is preventing us going live. The events look great, but anyone can edit them from the front-end.
I first set up the single calendar so that a logged-in user can edit their event from the front-end. Then changed it to Author, and then to Administrator only.
Each time, the edit icon remains visible, even when not logged in, even in a different browser, and even on a different computer.
It therefore enables anyone to edit every event.
(This is not a cache problem - I have disabled and cleared every cache.)
Can the plugin enable only the logged in author of an event can edit it? It will be excellent if that is possible.
If not, I just need a way to prevent anyone editing every event!
Hope you can help.
Thank you.
Try setting the Calendar's "Back-End Visibility" to "Just Me". This equals to 'private'.
As a last resort you could overwrite the permission via a filter:
// Allow the admin and event's author to edit add_filter('stec_user_can_edit_event', function ($default, $event) { // super admin can do whatever he wants...if (is_super_admin()) {
return true;
} // true if user is author of this event | false otherwise
return $event->get_author() === get_current_user_id(); }, 10, 2);
Stachethemes Developer
Thank you. I have used the code you supplied below, and it now seems correctly to restrict editing to Admin and the Author of the event.
However, it is not possible to edit an event because the form demands that you select which Calendar, but without providing any option to select. (In this case there is only one calendar.) I attach two screenshots to show you.
(To check this was not a problem that I introduced, I removed all my CSS, and restored the original default-submit-form.php file, and the problem is still there.)
Is this a problem you recognise and can solve? I would like to remove the calendar option, and simply select the one calendar. Thank you.
Make sure in Add/Edit Calendar page "Who can add events from the front-end" has valid value.
Stachethemes Developer
Hi Zhivko
Thank you. I see I had set it to Administrator, when trying to deal with the previous challenge. Apologies. So now it is set to 'logged in users'. So the editor works.
However a final problem is that the editor does not show the existing 'Short description'. I have tested this with the original 'default-submit-form', and it is the same. Again, is there something you know that will be causing this? (If I leave it blank, the existing Short description remains after submitting the edit.)
I've made a typo in the submit form. Really sorry for this.
Fix:
1) Open file stachethemes_event_calendar \ view \ front \ forms \ default-submit-form.php
2) Edit line 24 from:
printf('<div class="stec-builder-element"><input class="stec-builder-element-content-input-style" name="short_desc" placeholder="%s" %s /></div>', esc_html__('Short Description', 'stec'), '');to:
printf('<div class="stec-builder-element"><input class="stec-builder-element-content-input-style" name="description_short" placeholder="%s" %s /></div>', esc_html__('Short Description', 'stec'), '');Basically the input name is wrong. It should be "description_short" and not "short_desc"...
Stachethemes Developer
Hi Zhivko - We are nearly there.
It is a great feature of Stachethemes Calendar that users can submit posts, AND they can view and edit their own posts before they are approved and published. That is a huge time-saver for Admin, because people often want to change something after viewing their new event post. So thank you again for the code on Feb 25th below.
However, I realise it isn't secure yet, because subscriber users can re-edit their events after the event is approved and published.
So is it possible to adjust that code to follow the usual WordPress capabilities? Here is the php logic, but I don't know how to do the code for Stachethemes:
I really hope that is possible. Otherwise we will have to disable editing for security.
Thank you.!
Try this one:
add_filter('stec_user_can_edit_event', function ($default, $event) { // super can do whatever he wants
if (is_super_admin()) {
return true;
} $current_user_id = get_current_user_id(); // FALSE if not logged in
if (0 === $current_user_id) {
return false;
} // TRUE if can edit_others_posts
if (true === current_user_can('edit_others_posts')) {
return true;
} // TRUE if user is author and can edit_posts and event is not yet approved
if ( $event->get_author() === $current_user_id && current_user_can('edit_posts') && 0 === $event->get_approved() ) {
return true;
} // FALSE otherwise
return false; }, 10, 2);
Stachethemes Developer
Zhivko - Thank you.
The code snippet you sent is what we needed to make the editing of our Stachethemes events both flexible and secure.
I have tested it, and it enables front-end editing by users as follows:
I slightly adapted the code to differentiate Authors and Subscribers. So in case it is useful to others, I include it below.
Thank you again.
add_filter('stec_user_can_edit_event', function ($default, $event) { $current_user_id = get_current_user_id(); // FALSE if not logged in if (0 === $current_user_id) { return false; } // TRUE if can edit_others_posts - WP Admin and Editor roles if (true === current_user_can('edit_others_posts')) { return true; } // TRUE if is event-author and can publish_posts - WP Author role if ($event--->get_author() === $current_user_id && current_user_can('publish_posts') ) { return true; } // TRUE if is event-author and event not yet approved - WP Subscriber role if ($event->get_author() === $current_user_id && 0 === $event->get_approved() ) { return true; } // FALSE otherwise return false; }, 10, 2);