PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Bug when deleting a post field

Gravity Support Forums » Plugin Support » Gravity Forms

  1. Steve
    Member

    A nasty one too.

    This is what I did to make it occur: Created a form with both an upload and a post field. Assigned the form a category to post to and a "post status" of published. Made a simple "post content template". Saved the form and inserted it into a page. Tested it, works fine - it creates a post with a download link to the file I uploaded.

    Now comes the problem. I changed my mind about the the post field and deleted it from the form. So now, logically, it should still upload the file but not create a post. What it did was completely replace the Page with the information from the (now deleted) post template. It also renamed the Page with the name of the post. The real scary part was it did this if I was logged in as admin or not logged in at all. So it gave admin privileges to a user with no credentials at all.

    I'm no expert in WordPress but this does not seem like something that should be able to occur, accident or not.

    I managed to fix the form by re-adding the post field (which magically still contained the post template field info) then deleting the template info, saving the form and then re-deleting the post field.

    Is there a security issue I'm missing here...a setting I overlooked?

    Posted 13 years ago on Saturday October 2, 2010 | Permalink

  2. Carl Hancock
    Administrator

    I'm unable to replicate this issue. I can add Post Title, Post Body and File Upload fields to my form just fine without a problem and delete the Post Title and Post Body fields.

    One question I had is what type of File Upload field are you using? The File Upload field from the Advanced Fields or the File Upload field type on the Post Custom Field?

    If you are using the Post Custom Field you have to have a Post Body or Post Title on your form for it to work properly. Otherwise it won't know what to do because it has no Post to attach the Custom Field data to. A Post Body or Post Title field are required for a Post to be created.

    What you described is fairly confusing, so I would need to know EXACTLY steps you took (step by step) in order to do further debugging. Gravity Forms itself cannot grant users admin privileges to your site, it has no code in place that gives users any kind of privileges so something else is going on. It's possible that while you think you are logged out, your browser cookies are still keeping you logged in.

    I can tell you why the Post Content Template is retained even after you delete and re-add the Post Body field, this is currently by design. The Post Content Template is stored with the form, not the field. So if you delete and re-add the field (by accident, etc.) you don't lose this configuration.

    What exactly are you trying to accomplish? It seems kinda strange to be going back and forth on having the form create a post or not. Usually it's pretty cut and dry... either the form needs to create a post or it does not.

    Posted 13 years ago on Monday October 4, 2010 | Permalink

  3. Steve
    Member

    Thanks for replying Carl.
    To answer your questions:
    I used the Advanced Fields - File Upload (I didn't even notice the other one was there). Is this where I went wrong?
    My intention was this: I have two fairly long forms to create, both identical except for the File Upload fields and the Post fields. So I built a form with File Uploads and Post fields first, duplicated it, then deleted the fields I didn't need.
    As for the cookies theory, that's what I thought at first, so I tested it. I visited the site in Chrome, a browser I never logged into the site with before, and it still did the same thing.
    I would have chalked this up as a plug-in conflict the first time it happened because the site I was working on had a lot going on, but the second time it happened was on a site with no other plug-ins and a modified version of the Twenty Ten theme.
    I'm working locally on my Mac using MAMP. Could this have something to do with it? If I'm "root" maybe WordPress is ignoring the privileges settings?
    I'll try it on a "real" web server later today if I can find the time.
    Cheers.

    Posted 13 years ago on Monday October 4, 2010 | Permalink

  4. Carl Hancock
    Administrator

    It's possible it is something with your local MAMP configuration. I'm unable to reproduce the issue you described above. If you are able to recreate it on a live server then we would to know the EXACT steps you went through to get it to do in order to recreate the issue exactly as you have. But doing what you described above I wasn't able to reproduce the problem.

    Posted 13 years ago on Monday October 4, 2010 | Permalink

  5. Steve
    Member

    Hi Carl
    I have set up a test form on a live server and it is behaving the same way.
    If you wish you can send me an email and I'll send you a URL and log-in credentials.

    The exact steps are:
    1. Add new form
    2. Name the form - everything else is left default
    3. Add an Upload field
    4. Add a Post body field
    5. Edit Upload field and change the name to Upload File and the admin label to upload_file - all else is default
    6. Edit the Post field: change the Post status to "Published" change Default Post Author to "Unregistered" (this is a User set up with "no roles for this site")
    7. Change the Post Category to "test"
    8. Check "Create Post content template"
    9. Insert "Form Title" in the content template with the drop down menu
    10. At this point the upload_file label doesn't show up in the drop down yet so you have to save the form
    11. Edit the Post body-Post content template and choose "upload_file"
    12. Change the visibility of the Post Body to "Admin Only"
    13. Save the form
    14. Place the form in a page - un-check all (Ajax etc.)
    15. Navigate to the page and upload a file - works as expected
    16. Go back to form and delete the Post Body field
    17. Navigate back to the page and upload a file - now the contents of the page has been obliterated
    18. Refresh the page by clicking in the URL field of your browser and you will see the change is permanent.

    Posted 13 years ago on Monday October 4, 2010 | Permalink

  6. Carl Hancock
    Administrator

    Unable to reproduce it following the steps you provided above. Form works as intended with or without the Post Body field present. Form submits properly and creates an entry with the file that is uploaded.

    We would need access to your site to take a look and then reproduce it on your site as following these steps doesn't cause the issue to happen on our end or on our test site.

    You can send this information to us via our Contact Us form. We would need a WordPress admin login for the site as well as FTP access to the site in case we have to do some debugging.

    One thing wasn't able to test 100% exact was this:

    "Edit the Post field: change the Post status to "Published" change Default Post Author to "Unregistered" (this is a User set up with "no roles for this site")"

    I don't know what a user setup with "no roles for this site" is. A user has to have one of the WordPress roles applied to it and there isn't a "no roles for this site" role. There is Subscriber, and that is what I used in my test as thats the lowest role available. This could have something to do with it as you didn't specify a legit role that exists in WordPress.

    Posted 13 years ago on Monday October 4, 2010 | Permalink