fix: restore edit button for CPT published posts after 4.2.9

[arifulhoque7]

Summary

• Restore the dashboard edit button for non-admin authors of WPUF-managed custom post types with published posts — regression introduced in v4.2.9 by the authorization hardening in Add draft token and update authorization checks #1809.
• Replace the 2020-era hardcoded 'post' !== $post->post_type gate in map_capabilities_for_post_authors() with a _wpuf_form_id meta gate so the edit_published_posts cap is granted only to authors of posts genuinely created via a WPUF form.
• Preserve every check introduced by Add draft token and update authorization checks #1809 (wpuf_user_can_edit_post() lock/subscription/status/edit_others_posts logic stays intact).

Background

Reported on WordPress.org: Edit button disappears for published posts — works until 4.2.8.

Tracked in: weDevsOfficial/wpuf-pro#1547

Root cause

includes/Frontend/Frontend_Form.php::map_capabilities_for_post_authors() has hardcoded 'post' !== $post->post_type since commit 47ee5913 (Aug 2020). The filter therefore only ever granted edit_published_posts for the default post post type, never for CPTs.

This was latent until v4.2.9 #1809 refactored wpuf_is_post_editable() into a wrapper around the new wpuf_user_can_edit_post() helper, which now calls current_user_can( 'edit_post', $post_id ). Before #1809, the dashboard's wpuf_is_post_editable() never called current_user_can( 'edit_post' ). With the new gate active, the latent CPT exclusion in the cap filter denies the edit button for non-admin authors of published CPTs.

Fix

// Old (line 465)
'post' !== $post->post_type

// New
$wpuf_form_id = absint( get_post_meta( $post_id, '_wpuf_form_id', true ) );
if ( empty( $wpuf_form_id ) ) {
    return $allcaps;
}

Also added defensive casts (absint() on $args[2] and $wp_user->ID), and an empty( $post ) guard.

WordFence-safety rationale

• Author-only check kept: absint( $post->post_author ) !== absint( $wp_user->ID )
• Only single smallest cap granted: edit_published_posts
• WPUF dashboard setting check kept (enable_post_edit)
• WPUF frontend edit page existence check kept
• Gate is narrower than restoring the 2020 intent — only WPUF-form-originated posts qualify, not arbitrary CPTs (page, product, admin-created content)
• No Add draft token and update authorization checks #1809 check removed, no draft-token flow resurrected, no post_author from request trusted

Drive-by PHPCS cleanup (same file)

While verifying with composer phpcs, fixed pre-existing violations in Frontend_Form.php:

Change	Reason
@header(...) → if ( ! headers_sent() ) { header(...); }	Drop silenced error per WPCS
wp_redirect() → wp_safe_redirect()	Safer redirect for internal URL
phpcs:ignore WordPress.Security.NonceVerification.Recommended on email-verify $_GET reads	Intentional — link sent via email, validated via wpuf_decryption() + post-author check
phpcs:ignore WordPress.WP.Capabilities.RoleFound on get_edit_post_link() role checks	Intentional — swap WP admin edit link for WPUF link only for custom roles
Auto-fixes via phpcbf	Alignment, else if → elseif, multi-line function-call formatting

Also bumped:

• phpcs.xml.dist testVersion 5.6- → 7.4- (codebase already uses 7.1+ destructure + 7.3+ trailing commas)
• composer.json "php": ">=5.5" → ">=7.4"
• readme.txt Requires PHP: 5.6 → 7.4

Project-wide PHPCompatibility scan at 7.4 baseline: zero errors.

Test plan

• Non-admin author + WPUF-managed CPT + published → edit button visible (the fix)
• Non-admin author + default post type + WPUF-form-created + published → edit button visible (regression check)
• Non-admin author + page / product / admin-created CPT (no _wpuf_form_id) → edit button hidden (no cap leak)
• Non-author user + any post → edit button hidden
• enable_post_edit setting OFF → edit button hidden
• disable_publish_edit setting ON → edit button hidden (PR Add draft token and update authorization checks #1809 gate intact)
• Draft CPT non-admin author → still editable
• AJAX edit-submission path on published CPT (Frontend_Form_Ajax::edit_post via wpuf_user_can_edit_post()) → succeeds for author
• WordFence scan: no new warnings vs. pre-patch

Summary by CodeRabbit

• Chores

  • Increased minimum PHP requirement to 7.4 (config and docs updated).

• Bug Fixes

  • Fix draft-saving response headers to avoid header-sent errors.
  • Use safer redirects during guest post verification.
  • Broaden frontend form editing permissions to support posts from custom forms and allow authors to edit their own posts without unnecessary capability checks.
  • Improve admin notification email validation and multi-value field handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 532c5f32-9855-4898-9e51-d1ad50881510

📥 Commits

Reviewing files that changed from the base of the PR and between 610cd4a and b88204c.

📒 Files selected for processing (1)

• wpuf-functions.php

---

Walkthrough

Bumps plugin PHP requirement to 7.4 and tightens Frontend_Form and related authorization/email code: conditional draft headers, sanitized/decrypted verification params with safe redirects, expanded WPUF-created post capability mapping, and validated admin recipient/body construction.

Changes

PHP 7.4 Version Constraint Updates

Layer / File(s)	Summary
Version constraint updates across config files composer.json, phpcs.xml.dist, readme.txt	Composer php requirement, PHPCS testVersion, and plugin Requires PHP metadata updated to 7.4.

Frontend_Form Security and Permission Improvements

Layer / File(s)	Summary
Draft responses and guest verification flows includes/Frontend/Frontend_Form.php	Conditional JSON Content-Type header for draft_post(), sanitized guest-post init, wp_safe_redirect for pending-payment flows, and empty-checks before decrypting verification params.
Frontend editing capability mapping and edit link gating includes/Frontend/Frontend_Form.php, wpuf-functions.php	map_capabilities_for_post_authors() broadened to WPUF-created post types via _wpuf_form_id meta, ownership and frontend edit-link required before granting edit capabilities; get_edit_post_link() gating tightened; wpuf_user_can_edit_post() authorization check conditioned on ownership.
Admin email recipient filtering and mail body preparation includes/Frontend/Frontend_Form.php	Admin recipient list constructed by trimming and validating comma-separated addresses (dropping invalid entries); prepare_mail_body() concatenation adjusted for multi-valued custom-field values and attachment URLs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• weDevsOfficial/wp-user-frontend#1651: Both PRs modify the guest post email verification flow—main PR sanitizes/decrypts p_id/f_id and adjusts verification-related redirect/headers in Frontend_Form, while the retrieved PR fixes verification email sending/link generation in Frontend_Form_Ajax.php/wpuf_send_mail_to_guest().
• weDevsOfficial/wp-user-frontend#1585: Both PRs update the guest-mail-admin notification flow in includes/Frontend/Frontend_Form.php to sanitize/validate recipient email addresses.
• weDevsOfficial/wp-user-frontend#1809: Both PRs touch edit-authorization and draft/guest-post handling in includes/Frontend/Frontend_Form.php and related functions.

Suggested reviewers

• sapayth
• Rubaiyat-E-Mohammad

"🐰 I hopped through code with a careful nose,
Bumped PHP to seven-four as the changelog shows,
I guarded guest links and trimmed each mail,
Ensured edits map to the rightful trail,
A tiny rabbit's cheer for safer flows!"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately and specifically describes the main fix: restoring the edit button functionality for custom post type (CPT) published posts that regressed in version 4.2.9.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

readme.txt (1)

8-8: ⚖️ Poor tradeoff

Consider PHP 8.0+ as the minimum version.

PHP 7.4 reached end-of-life in November 2022 and no longer receives security updates. If the codebase is compatible, consider setting the minimum to PHP 8.0 (EOL Nov 2023) or PHP 8.1 (supported until Nov 2025) to encourage users toward actively supported versions.

This suggestion assumes no major compatibility barriers exist for PHP 8.0+. If this bump to 7.4 is a stepping stone in a gradual migration strategy, the current approach is reasonable.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@readme.txt` at line 8, Update the minimum PHP version string in the README by
replacing the current "Requires PHP: 7.4" declaration with a supported baseline
such as "Requires PHP: 8.0" (or "8.1" if you prefer to require a newer supported
version); ensure the README's PHP requirement line is the only change and that
any accompanying compatibility notes are adjusted to reflect the new minimum.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@readme.txt`:
- Line 8: Add a clear changelog entry documenting the breaking change that the
minimum PHP requirement has increased from 5.6 to 7.4 (as shown by the "Requires
PHP: 7.4" line); place a new version header at the top of the changelog section
describing the version, date, and a short note that the update requires PHP 7.4+
and may prevent upgrades for users on older PHP versions, and include migration
guidance or a link to docs for users who cannot upgrade immediately.

---

Nitpick comments:
In `@readme.txt`:
- Line 8: Update the minimum PHP version string in the README by replacing the
current "Requires PHP: 7.4" declaration with a supported baseline such as
"Requires PHP: 8.0" (or "8.1" if you prefer to require a newer supported
version); ensure the README's PHP requirement line is the only change and that
any accompanying compatibility notes are adjusted to reflect the new minimum.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c53755f4-83ec-43e0-bfc8-46d6848b23b7

📥 Commits

Reviewing files that changed from the base of the PR and between 70e4e7a and 610cd4a.

📒 Files selected for processing (4)

• composer.json
• includes/Frontend/Frontend_Form.php
• phpcs.xml.dist
• readme.txt

[iftakharul-islam]

Looks fine