Support REST API by User entries

Hi All

We are using Gravityforms Rest API
We allow different users ,
which are in ROLE Subscriber (Not Administrator)
to submit a spesific form by API

e.g

/wp-json/gf/v2/forms/3/submissions
{
    "input_3": "2",
    "input_1": "UniqeTransactionId"
}

The result is a sample json:

{
    "is_valid": true,
    "page_number": 0,
    "source_page_number": 1,
    "confirmation_message": "{\"id\":\"912\",\"form_id\":\"3\",\"post_id\":null,\"date_created\":\"2024-08-13 10:40:16\",\"date_updated\":\"2024-08-13 10:40:16\",\"is_starred\":\"0\",\"is_read\":\"0\",\"ip\":\"\",\"source_url\":\"\",\"user_agent\":\"PostmanRuntime\\/7.40.0\",\"currency\":\"USD\",\"payment_status\":null,\"payment_date\":null,\"payment_amount\":null,\"payment_method\":null,\"transaction_id\":null,\"is_fulfilled\":null,\"created_by\":\"1\",\"transaction_type\":null,\"status\":\"active\",\"3\":\"2\",}",
    "confirmation_type": "message"
}

This create an entry , with the field of the user that submited.
the "confirmation_message’ cotains the “created_by” value which is the user that invoked.
now we wanted to provide the user to retrieve the entry’s he submitted only
so, we tryed to call
wp-json/gf/v2/entries/
But that failed because the API is not allowed if the user dont have View Entries Capability
We added the Capabilty to the Subscriber role (using “members” plugin) and now any subscriber can view all the entrys
To Solve this, we edited the followig file:

gravityforms/includes/webapi/v2/includes/controllers/class-controller-entries.php

and in this file we modified the get_item method

public function get_item( $request ) {

		$entry_id = $request->get_param( 'entry_id' );
		$entry    = GFAPI::get_entry( $entry_id );

		if ( is_wp_error( $entry ) ) {
			return new WP_Error( 'gf_entry_invalid_id', __( 'Invalid entry id.', 'gravityforms' ), array( 'status' => 404 ) );
		}
$current_user = wp_get_current_user();
		if ( in_array( 'administrator', (array) $current_user->roles ) ) {}
		if ( in_array( 'subscriber', (array) $current_user->roles ) ) {
    		if($entry['created_by']!=get_current_user_id()){
    		    return new WP_Error( 'gf_entry_invalid_id', __( 'Entry is not related to user.', 'gravityforms' ), array( 'status' => 404 ) );
    		    
    		}
		}

Now this works correct and retrive the entrysby the user only
Our Question : is there an effiecent way to do this:
the problems we see;
1.on every plugin update, all changes will be overide and we need to write again
2.if we want to add this functinly to other API’s such as allow subscriber to delete his entry’s we will need to add this code on other files
is there better way ?
thanks
Yoav

Editing the plugin files is not recommended or supported, so you should make use of an available filter to perform your customization via the theme functions.php file, a custom plugin, or a code snippets plugin.

In this case, you could use the gform_rest_api_capability_get_entries filter. Ignore the name, it also applies to the get entry endpoint.

Here’s an example:

add_filter( 'gform_rest_api_capability_get_entries', function ( $capability, $request ) {
	// If this isn't a get entry request abort early.
	$entry_id = $request->get_param( 'entry_id' );
	if ( empty( $entry_id ) ) {
		return $capability;
	}

	// If the entry doesn't exist abort early.
	$entry = GFAPI::get_entry( $entry_id );
	if ( is_wp_error( $entry ) ) {
		return $capability;
	}

	// If the user isn't a subscriber abort early.
	$current_user = wp_get_current_user();
	if ( ! in_array( 'subscriber', (array) $current_user->roles ) ) {
		return $capability;
	}

	$user_is_creator = $current_user->ID == rgar( $entry, 'created_by' );

	// If the user didn't create the entry, deny access by returning a capability that doesn't exist.
	return $user_is_creator ? $capability : 'invalid_capability';
}, 10, 2 );
2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.