By: TRACY DOUGLASS | Asked: 06/21/2022
TRACY DOUGLASS asked 2 years ago
Hi - I have realized that when a user edits a form, the ID number in the URL can be changed manually to load another record, as long as that user meets the "forms visibility" rule set in the form settings.  If I could expand on the "forms visibility" options and include a user meta field I think I can prevent this problem.  But in the FF settings, it only allows to select visibility by user role.  Do you have a suggestion on how to add to thiis?  Example:  I have a view with record edit option. That view has filter settings restricting the records shown by a user meta field. "field[x] is equal to [user_meta key=reportingid]".  The user can select to edit a record on the front end.  The problem is, this user can now see in the URL a very simple address with an id number, and can then CHANGE the id number to any number and a record will load if there's a match, regardless of the filter settings in the view.  This is a major security issue. What would be optimal, is that every time the form loads, it compares the user-meta to the field.  ex:  I'd like user meta field "A" to be compared to form field [1250], and if they match, then the user can proceed, otherwise, the form gets redirected to home page with an "unauthorized" message.   I know how to write the php code to retrieve and compare this information, but I don't know where to put it. Perhaps I'm missing something in the form setup as well, and I'm making it more difficult than it needs to be.   please help! thank you Tracy D.  
3 Answers
Victor Font answered 2 years ago
This is an interesting and timely question. Over the past several weeks I've been asked this question by three or four people. My answer is always the same. Use WordPress nonce. Your way will work but the solution seems over engineered. First and foremost, Formidable is a WordPress Application Builder. When the foundation is WordPress, the entire WordPress API infrastructure is available to use. WordPress nonce is designed to secure URLs or forms with a session token tied to the user's session. The nonce is active while the user is logged in. The <a href="">WordPress developer docs</a> say,
"You can create a nonce and add it to the query string in a URL, you can add it in a hidden field in a form, or you can use it some other way."
Victor Font replied 2 years ago

This is the approach I would investigate if I were working on a paid project that had this requirement.

TRACY DOUGLASS replied 2 years ago

thank you. i have started looking into this. I find the nonce information a bit confusing, especially in how to use it in conjunction with the FF framework. I understand how it works, but not so much how to implement it.

Merlin Rose answered 2 years ago
For this I use the frm_display_form_action ( This hook allows you to do something before the form is displayed, such as checking the number of entries and displaying a message if the number of entries has reached its limit. You can add these code samples to a new plugin or your theme functions.php at the very bottom, before the last ?> if there is one.
TRACY DOUGLASS replied 2 years ago

thank you, i'm going to check this out. I used the add_filter('frm_setup_edit_fields_vars, and have it working. But perhaps this hook you mentioned may work better. I'm not educated enough to know exactly how "safe" it all ends up being in either case.

Merlin Rose replied 2 years ago

The frm_setup_edit_fields_vars is for changing values in fields when editing an entry. I think the frm_display_form_action is perfect for your case.

I have a platform where attandees can register to events and every event has there own maximum number of attendees and before they load the form i check in frm_display_form_action the open spots and if registrated attendees >= maximum spots, i "close" the from and show a note. I have tones of other cases where i check user roles, user meta, current time and so on and it always works "safe".

TRACY DOUGLASS replied 2 years ago

i'm working on this currently and it seems to be working very well for me. I very much appreciate your response!! I have a question perhaps you can answer: I removed the lines for : remove_filter('frm_continue_to_new', '__return_false', 50); and add_filter('frm_continue_to_new', '__return_false', 50);. they didn't seem to be doing anything in my code. I simply have an echo message and "exit" if user doesn't meet the criteria to load the form and that works.

What are those 2 filters actually doing ? In the examples, one is at the beginning and the other at the end.

Merlin Rose replied 2 years ago

<p>i didn't know exactly but i think this is for loading the final form. If you are deleting these lines your code will not have any effects because at the beginning the loading of the form is turned off and only turned on again if the criteria match. With this deleted the form will always load because this is default.</p><p>I don't know if exit is the best solution because the form should load anyway but will not shown. I'm not really sure about the consequences of just "exiting" the code at this point.</p>

TRACY DOUGLASS replied 2 years ago

I wonder then, why is the "remove filter" at the beginning, prior to the form id being identified, doesn't that mean it runs every time regardless of the form being loaded ? I've tried several scenarois to see how it affects my forms and I can't understand it. But my code does not run at all with it, so hopefully it won't come back to haunt me since I removed it.

Bobby Clapp answered 2 years ago
Another alternate solution that came form this question is to implement a "token" field that can be applied to a view filter:
TRACY DOUGLASS replied 2 years ago

So this token gets stored in a field in each record created. If I have a user who is allowed to view a selection of multiple records, but not all records, how does this token field help me filter those records, particularly if a user edits the url directly. ?

Bobby Clapp replied 2 years ago

If you need to display multiple records (privately), but then also only allow the appropriate person to see the individual detail of those records you're going to probably want to replicate the same thing and maybe apply it to user meta as a "user_token". You'll probably want to try taking advantage or the user registration add-on.

Making the Best WordPress Plugin even better - Together

Take on bigger projects with confidence knowing you have access to an entire community of Formidable Experts and Professionals who have your back when the going gets tough. You got this!
Join the community