Skip to content

fix: restore edit button for CPT published posts after 4.2.9 #1865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
iftakharul-islam merged 4 commits into from
May 22, 2026
+52 −26
Merged

fix: restore edit button for CPT published posts after 4.2.9 #1865

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
70e4e7a
security: remove config.bat PolinRider tamper marker from .gitignore
arifulhoque7 May 18, 2026
610cd4a
fix: restore edit button for CPT published posts after 4.2.9
arifulhoque7 May 20, 2026
8d72a24
Merge branch 'weDevsOfficial:develop' into fix/edit-button-cpt-publis…
arifulhoque7 May 20, 2026
b88204c
fix user issues
arifulhoque7 May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
],
"minimum-stability": "dev",
"require": {
"php": ">=5.5",
"php": ">=7.4",
"composer/installers": ">=1.4",
"wedevs/wp-utils": "dev-main"
},
Expand Down
70 changes: 48 additions & 22 deletions includes/Frontend/Frontend_Form.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,10 @@ public function make_media_embed_code() {
public function draft_post() {
check_ajax_referer( 'wpuf_form_add' );
add_filter( 'wpuf_form_fields', [ $this, 'add_field_settings' ] );
@header( 'Content-Type: application/json; charset=' . get_option( 'blog_charset' ) );

if ( ! headers_sent() ) {
header( 'Content-Type: application/json; charset=' . get_option( 'blog_charset' ) );
}

$form_id = isset( $_POST['form_id'] ) ? intval( wp_unslash( $_POST['form_id'] ) ) : 0;
$form = new Form( $form_id );
Expand Down Expand Up @@ -362,9 +365,13 @@ public function add_post_shortcode( $atts ) {
* @since 2.5.8
*/
public function publish_guest_post() {
// Email-verification flow: link is sent to guest's inbox; payload is validated
// via wpuf_decryption() and post-author check below — no form nonce applies.
// phpcs:disable WordPress.Security.NonceVerification.Recommended
$post_msg = isset( $_GET['post_msg'] ) ? sanitize_text_field( wp_unslash( $_GET['post_msg'] ) ) : '';
$pid = isset( $_GET['p_id'] ) ? sanitize_text_field( wp_unslash( $_GET['p_id'] ) ) : '';
$fid = isset( $_GET['f_id'] ) ? sanitize_text_field( wp_unslash( $_GET['f_id'] ) ) : '';
// phpcs:enable WordPress.Security.NonceVerification.Recommended

if ( $post_msg !== 'verified' ) {
return;
Expand Down Expand Up @@ -411,7 +418,7 @@ public function publish_guest_post() {
get_permalink( wpuf_get_option( 'payment_page', 'wpuf_payment' ) )
);

wp_redirect( $response['redirect_to'] );
wp_safe_redirect( $response['redirect_to'] );
wpuf_clear_buffer();
wp_send_json_error( $response );
}
Expand All @@ -437,14 +444,15 @@ public function publish_guest_post() {
* Enable edit post link for post authors
*
* @since 3.4.0
* @since WPUF_SINCE Support all post types created via WPUF forms.
*
* @param array $allcaps
* @param array $caps
* @param array $args
* @param array $allcaps
* @param array $caps
* @param array $args
* @param WP_User $wp_user
*
* @return array
*/
*/
public function map_capabilities_for_post_authors( $allcaps, $caps, $args, $wp_user ) {
if (
empty( $args )
Expand All @@ -456,16 +464,25 @@ public function map_capabilities_for_post_authors( $allcaps, $caps, $args, $wp_u
return $allcaps;
}

$post_id = $args[2];
$post_id = absint( $args[2] );
$post = get_post( $post_id );

// We'll show edit link only for posts, not page, product or other post types
if ( empty( $post ) || empty( $post->post_type ) ) {
return $allcaps;
}

// Only grant cap for posts genuinely created via a WPUF form.
// Excludes arbitrary CPTs (page, product, etc.) and admin-created content.
$wpuf_form_id = absint( get_post_meta( $post_id, '_wpuf_form_id', true ) );

if ( empty( $wpuf_form_id ) ) {
return $allcaps;
}

if (
empty( $post->post_type )
|| 'post' !== $post->post_type
|| ! wpuf_validate_boolean( wpuf_get_option( 'enable_post_edit', 'wpuf_dashboard', 'yes' ) )
! wpuf_validate_boolean( wpuf_get_option( 'enable_post_edit', 'wpuf_dashboard', 'yes' ) )
|| ! $this->get_frontend_post_edit_link( $post_id )
|| absint( $post->post_author ) !== $wp_user->ID
|| absint( $post->post_author ) !== absint( $wp_user->ID )
) {
return $allcaps;
}
Expand All @@ -486,13 +503,18 @@ public function map_capabilities_for_post_authors( $allcaps, $caps, $args, $wp_u
* @return string
*/
public function get_edit_post_link( $url, $post_id ) {
// Role checks (not capabilities): only swap WP admin edit link for the WPUF
// frontend edit link when the user is a custom role (e.g. subscriber) that
// still has edit_post — standard core roles keep the admin edit link.
// phpcs:disable WordPress.WP.Capabilities.RoleFound
if (
current_user_can( 'edit_post', $post_id )
&& ! current_user_can( 'administrator' )
&& ! current_user_can( 'editor' )
&& ! current_user_can( 'author' )
&& ! current_user_can( 'contributor' )
) {
// phpcs:enable WordPress.WP.Capabilities.RoleFound
$post = get_post( $post_id );
$form_id = get_post_meta( $post_id, '_wpuf_form_id', true );

Expand Down Expand Up @@ -548,8 +570,12 @@ private function generate_auth_link() {
* @return void
*/
public function send_mail_to_admin_after_guest_mail_verified() {
// Email-verification flow: link is sent to guest's inbox; payload is validated
// via wpuf_decryption() before use — no form nonce applies.
// phpcs:disable WordPress.Security.NonceVerification.Recommended
$post_id = ! empty( $_GET['p_id'] ) ? wpuf_decryption( sanitize_text_field( wp_unslash( $_GET['p_id'] ) ) ) : 0;
$form_id = ! empty( $_GET['f_id'] ) ? wpuf_decryption( sanitize_text_field( wp_unslash( $_GET['f_id'] ) ) ) : 0;
// phpcs:enable WordPress.Security.NonceVerification.Recommended

if ( empty( $post_id ) || empty( $form_id ) ) {
return;
Expand All @@ -574,16 +600,18 @@ public function send_mail_to_admin_after_guest_mail_verified() {
return;
}

$mail_body = $this->prepare_mail_body( $this->form_settings['notification']['new_body'], $author_id, $post_id );
$mail_body = $this->prepare_mail_body( $this->form_settings['notification']['new_body'], $author_id, $post_id );
// Validate & sanitise recipient addresses before sending
$to_raw = $this->prepare_mail_body( $this->form_settings['notification']['new_to'], $author_id, $post_id );
$to = implode(
',',
array_filter(
array_map( static function ( $addr ) {
$addr = trim( $addr );
return is_email( $addr ) ? $addr : null;
}, explode( ',', $to_raw ) )
array_map(
static function ( $addr ) {
$addr = trim( $addr );
return is_email( $addr ) ? $addr : null;
}, explode( ',', $to_raw )
)
)
);
$subject = $this->prepare_mail_body( $this->form_settings['notification']['new_subject'], $author_id, $post_id );
Expand Down Expand Up @@ -680,12 +708,10 @@ public function prepare_mail_body( $content, $user_id, $post_id ) {
$meta_val = $val;
}
$is_first = false;
} else {
if ( get_post_mime_type( (int) $val ) ) {
} elseif ( get_post_mime_type( (int) $val ) ) {
$meta_val = $meta_val . ', ' . wp_get_attachment_url( $val );
} else {
$meta_val = $meta_val . ', ' . $val;
}
} else {
$meta_val = $meta_val . ', ' . $val;
}

if ( get_post_mime_type( (int) $val ) ) {
Expand Down
2 changes: 1 addition & 1 deletion phpcs.xml.dist
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@

<!-- Rules: Check PHP version compatibility -->
<!-- https://github.com/PHPCompatibility/PHPCompatibility#sniffing-your-code-for-compatibility-with-specific-php-versions -->
<config name="testVersion" value="5.6-"/>
<config name="testVersion" value="7.4-"/>
<!-- https://github.com/PHPCompatibility/PHPCompatibilityWP -->
<rule ref="PHPCompatibilityWP"/>

Expand Down
2 changes: 1 addition & 1 deletion readme.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Tags: frontend post, user directory, membership, user profile, user registration
Requires at least: 5.0
Tested up to: 6.9.4
Stable tag: 4.3.5
Requires PHP: 5.6
Requires PHP: 7.4
License: GPLv2
License URL: https://www.gnu.org/licenses/gpl-2.0.html

Expand Down
2 changes: 1 addition & 1 deletion wpuf-functions.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,14 +86,14 @@
*
* @param <type> $post_id
*/
function wpuf_upload_attachment( $post_id ) {

Check warning on line 89 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

The method parameter $post_id is never used
if ( ! isset( $_FILES['wpuf_post_attachments'] ) ) {

Check failure on line 90 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

Processing form data without nonce verification.
return false;
}

$fields = (int) wpuf_get_option( 'attachment_num' );

$wpuf_post_attachments = isset( $_FILES['wpuf_post_attachments'] ) ? array_map( 'sanitize_text_field', wp_unslash( $_FILES['wpuf_post_attachments'] ) ) : [];

Check failure on line 96 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

Processing form data without nonce verification.

Check failure on line 96 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

Processing form data without nonce verification.

for ( $i = 0; $i < $fields; $i++ ) {
$file_name = basename( $wpuf_post_attachments['name'][ $i ] );
Expand Down Expand Up @@ -152,7 +152,7 @@
*
* @author Tareq Hasan
*/
function wpuf_unset_media_tab( $list ) {

Check warning on line 155 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

It is recommended not to use reserved keyword "list" as function parameter name. Found: $list
if ( ! current_user_can( 'edit_posts' ) ) {
unset( $list['library'] );
unset( $list['gallery'] );
Expand Down Expand Up @@ -277,7 +277,7 @@
*
* @uses Walker
*/
class WPUF_Walker_Category_Multi extends Walker {

Check failure on line 280 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

A file should either contain function declarations or OO structure declarations, but not both. Found 148 function declaration(s) and 2 OO structure declaration(s). The first function declaration was found on line 18; the first OO declaration was found on line 280

/**
* @see Walker::$tree_type
Expand Down Expand Up @@ -330,7 +330,7 @@
*
* @since 0.8
*/
class WPUF_Walker_Category_Checklist extends Walker {

Check failure on line 333 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

Only one object structure is allowed in a file
public $tree_type = 'category';

public $db_fields = [
Expand Down Expand Up @@ -397,7 +397,7 @@
*
* @since 0.8
*/
function wpuf_category_checklist( $post_id = 0, $selected_cats = false, $attr = [], $class = null ) {

Check warning on line 400 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

It is recommended not to use reserved keyword "class" as function parameter name. Found: $class
require_once ABSPATH . '/wp-admin/includes/template.php';

$walker = new WPUF_Walker_Category_Checklist();
Expand Down Expand Up @@ -482,7 +482,7 @@

if ( ! empty( $attributes ) ) {
foreach ( $attributes as $attr ) {
$terms = get_terms(

Check failure on line 485 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

The parameter "[
                    'hide_empty' => false,
                    'parent'     => $attr,
                ]" at position #2 of get_terms() has been deprecated since WordPress version 4.5.0. Instead do not pass the parameter.
$field_settings['name'],
[
'hide_empty' => false,
Expand Down Expand Up @@ -715,7 +715,7 @@
*
* @return string image tag of the user avatar
*/
function wpuf_get_avatar( $avatar, $id_or_email, $size, $default, $alt, $args ) {

Check warning on line 718 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

It is recommended not to use reserved keyword "default" as function parameter name. Found: $default

Check warning on line 718 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

The method parameter $args is never used
if ( wpuf_use_default_avatar() ) {
return $avatar;
}
Expand Down Expand Up @@ -845,7 +845,7 @@
if ( $first_name && $last_name ) {
$initials = strtoupper( substr( $first_name, 0, 1 ) . substr( $last_name, 0, 1 ) );
} else {
$name = $user->display_name ?: $user->user_login;

Check failure on line 848 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

Using short ternaries is not allowed as they are rarely used correctly
$name_parts = explode( ' ', $name );

if ( count( $name_parts ) >= 2 ) {
Expand Down Expand Up @@ -906,7 +906,7 @@
$prev_avatar_path = str_replace( $upload_dir['baseurl'], $upload_dir['basedir'], $prev_avatar );

if ( file_exists( $prev_avatar_path ) ) {
unlink( $prev_avatar_path );

Check warning on line 909 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

unlink() is discouraged. Use wp_delete_file() to delete a file.
}
}

Expand Down Expand Up @@ -1041,7 +1041,7 @@
$attr['name'] = $attr['input_type'];
}

$field_value = get_post_meta( $post->ID, $attr['name'] );

Check warning on line 1044 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

When passing the $key parameter to get_post_meta(), it is recommended to also pass the $single parameter to explicitly indicate whether a single value or multiple values are expected to be returned.
$hide_label = isset( $attr['hide_field_label'] ) ? $attr['hide_field_label'] : 'no';

$return_for_no_cond = 0;
Expand All @@ -1067,7 +1067,7 @@
if ( isset( $attr['wpuf_cond']['cond_option'][ $field_key ] ) ) {
if ( is_array( $cond_field_value ) ) {
continue;
} else {

Check failure on line 1070 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

If control structure block found as the only statement within an "else" block. Use elseif instead.
if ( (string) $attr['wpuf_cond']['cond_option'][ $field_key ] !== (string) $cond_field_value ) {
$return_for_no_cond = 1;
} else {
Expand Down Expand Up @@ -1123,7 +1123,7 @@
}

$full_size = wp_get_attachment_url( $attachment_id );
$path = parse_url( $full_size, PHP_URL_PATH );

Check warning on line 1126 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

parse_url() is discouraged because of inconsistency in the output across PHP versions; use wp_parse_url() instead.
$extension = strtolower( pathinfo( $path, PATHINFO_EXTENSION ) );

if ( $thumb ) {
Expand Down Expand Up @@ -1399,7 +1399,7 @@
break;

default:
$value = get_post_meta( $post->ID, $attr['name'] );

Check warning on line 1402 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

When passing the $key parameter to get_post_meta(), it is recommended to also pass the $single parameter to explicitly indicate whether a single value or multiple values are expected to be returned.
$filter_html = apply_filters( 'wpuf_custom_field_render', '', $value, $attr, $form_settings );
$separator = ' | ';

Expand Down Expand Up @@ -1618,7 +1618,7 @@

return ob_get_clean();
} elseif ( 'repeat' === $type ) {
return implode( '; ', get_post_meta( $post->ID, $name ) );

Check warning on line 1621 in wpuf-functions.php

View workflow job for this annotation

GitHub Actions / Run PHPCS inspection 

When passing the $key parameter to get_post_meta(), it is recommended to also pass the $single parameter to explicitly indicate whether a single value or multiple values are expected to be returned.
} elseif ( 'normal' === $type ) {
return implode( ', ', get_post_meta( $post->ID, $name ) );
} else {
Expand Down Expand Up @@ -6695,7 +6695,7 @@
);
}

if ( ! current_user_can( 'edit_post', $post_id ) ) {
if ( $current_user_id !== $post_author_id && ! current_user_can( 'edit_post', $post_id ) ) {
return new WP_Error(
'wpuf_unauthorized_edit',
__( 'You are not authorized to edit this post.', 'wp-user-frontend' )
Expand Down
Loading