Security: hook frm_user_can_edit and permissions on create

By: Phil Knb | Asked: 06/21/2023
ForumsCategory: Code HelpSecurity: hook frm_user_can_edit and permissions on create
Phil Knb asked 10 months ago
We use the hook frm_user_can_edit to limit entries a user can update/delete.
But if we return false in this hook, the form appears in "create" mode.
I don't want these users to be able to create new entry, they should just be able to edit some of them (not their own).
Moreover, if in the url the user delete frm_action and entry parameters, the form appears in "create" mode too (and hook frm_user_can_edit is not called). It seems there is no hook to forbid access to the form.

To resume:
-> a user can edit/delete some entries (hook frm_user_can_edit)
-> but this user should not be able to add entry Any idea how can we implement that? Thanks!
1 Answers
Victor Font answered 10 months ago

Formidable is not designed to be a high security tool. Form permissions support basic CRUD configuration, that's all. Beyond that, perhaps you should investigate a custom solution or use a membership management add-on to provide a higher level of security.

Phil Knb replied 10 months ago

It's curious to have the frm_user_can_edit hook to check permissions on edit/delete but not on display/create. I have sent an email to the support to see if they have any ideas.
For now, I will use frm_user_can_edit hook for edit/update and frm_filter_final_form for create.
Thank you.

Making the Best WordPress Plugin even better - Together

Take on bigger projects with confidence knowing you have access to an entire community of Formidable Experts and Professionals who have your back when the going gets tough. You got this!
Join the community