Hi All
We are using Gravityforms Rest API
We allow different users ,
which are in ROLE Subscriber (Not Administrator)
to submit a spesific form by API
e.g
/wp-json/gf/v2/forms/3/submissions
{
"input_3": "2",
"input_1": "UniqeTransactionId"
}
The result is a sample json:
{
"is_valid": true,
"page_number": 0,
"source_page_number": 1,
"confirmation_message": "{\"id\":\"912\",\"form_id\":\"3\",\"post_id\":null,\"date_created\":\"2024-08-13 10:40:16\",\"date_updated\":\"2024-08-13 10:40:16\",\"is_starred\":\"0\",\"is_read\":\"0\",\"ip\":\"\",\"source_url\":\"\",\"user_agent\":\"PostmanRuntime\\/7.40.0\",\"currency\":\"USD\",\"payment_status\":null,\"payment_date\":null,\"payment_amount\":null,\"payment_method\":null,\"transaction_id\":null,\"is_fulfilled\":null,\"created_by\":\"1\",\"transaction_type\":null,\"status\":\"active\",\"3\":\"2\",}",
"confirmation_type": "message"
}
This create an entry , with the field of the user that submited.
the "confirmation_message’ cotains the “created_by” value which is the user that invoked.
now we wanted to provide the user to retrieve the entry’s he submitted only
so, we tryed to call
wp-json/gf/v2/entries/
But that failed because the API is not allowed if the user dont have View Entries Capability
We added the Capabilty to the Subscriber role (using “members” plugin) and now any subscriber can view all the entrys
To Solve this, we edited the followig file:
gravityforms/includes/webapi/v2/includes/controllers/class-controller-entries.php
and in this file we modified the get_item method
public function get_item( $request ) {
$entry_id = $request->get_param( 'entry_id' );
$entry = GFAPI::get_entry( $entry_id );
if ( is_wp_error( $entry ) ) {
return new WP_Error( 'gf_entry_invalid_id', __( 'Invalid entry id.', 'gravityforms' ), array( 'status' => 404 ) );
}
$current_user = wp_get_current_user();
if ( in_array( 'administrator', (array) $current_user->roles ) ) {}
if ( in_array( 'subscriber', (array) $current_user->roles ) ) {
if($entry['created_by']!=get_current_user_id()){
return new WP_Error( 'gf_entry_invalid_id', __( 'Entry is not related to user.', 'gravityforms' ), array( 'status' => 404 ) );
}
}
Now this works correct and retrive the entrysby the user only
Our Question : is there an effiecent way to do this:
the problems we see;
1.on every plugin update, all changes will be overide and we need to write again
2.if we want to add this functinly to other API’s such as allow subscriber to delete his entry’s we will need to add this code on other files
is there better way ?
thanks
Yoav