Latest Update lets no one but Admin see submissions

The developer documentation has been updated to reflect the updated filters needed to grant users other than Administrators access to the submissions section. https://developer.ninjaforms.com/codex/submission-permissions/

Will this now allow other users to download the form submissions as well?
Because I know this was a problem previously. (That’s why I used Permissions Editor for Ninja Forms up to now)

And can I copy and paste that code directly into a snippet from the Code Snippets plugin?

Or can I define a capability like nf_subs using Publishpress Permissions and use that instead of edit_posts and delete_others_posts?

I’m sorry for the questions, but I really am not a coder.

• This reply was modified 3 years, 1 month ago by whereverpanda.

So ultimately I’ll have two code snippets right?

This

<?php

// Must use all three filters for this to work properly. 
add_filter( 'ninja_forms_admin_parent_menu_capabilities',   'nf_subs_capabilities' ); // Parent Menu
add_filter( 'ninja_forms_admin_all_forms_capabilities',     'nf_subs_capabilities' ); // Forms Submenu
add_filter( 'ninja_forms_admin_submissions_capabilities',   'nf_subs_capabilities' ); // Submissions Submenu

function nf_subs_capabilities( $cap ) {
    return 'nf_subs'; // EDIT: User Capability
}

and this:

<?php
/**
 * Filter hook used in the API route permission callback to retrieve submissions
 *
 * return bool as for authorized or not.
 */
add_filter( 'ninja_forms_api_allow_get_submissions', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_delete_submissions', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_update_submission', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_handle_extra_submission', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_email_action', 'nf_define_permission_level', 10, 2 );

function nf_define_permission_level() {
  
  $allowed = \current_user_can("nf_subs");
  
  return $allowed;
});

Or does the last one need to be delete_others_posts?
And again, will this allow non-admins to download/export the submissions?

Sorry for all the questions, but I’m really a bit out of my depth.

Thanks!

• This reply was modified 3 years, 1 month ago by whereverpanda.

One more thing, when adding the last piece of code (as is from your documentation), code snippets gives the error ‘e is undefined’.

Is there perhaps an error in the code?

EDIT:
When trying to save the snippet I get this:

The code snippet you are trying to save produced a fatal error on line 17:
syntax error, unexpected ‘)’, expecting end of file

• This reply was modified 3 years, 1 month ago by whereverpanda.

Update:

So I removed the last bracket from the last line of the new snippet of code. It removes the error in the Code Snippets plugin, and allows me to activate, but it still did not work. In the Code Snippets plugin, it has to be set to

‘Run snippet everywhere’

then it works.

It allows the user with a capability (access_forms) I created in Publishpress Permissions to view the submissions page. It also allows the user to download the submissions.

However, clicking on the Ninja Forms dashboard, and clicking on the cog on the form and then on ‘View Submissions’, it gives an error page (Sorry, you are not allowed to access this page.) This is still an issue.

// Must use all three filters for this to work properly. 
add_filter( 'ninja_forms_admin_parent_menu_capabilities',   'nf_subs_capabilities' ); // Parent Menu
add_filter( 'ninja_forms_admin_all_forms_capabilities',     'nf_subs_capabilities' ); // Forms Submenu
add_filter( 'ninja_forms_admin_submissions_capabilities',   'nf_subs_capabilities' ); // Submissions Submenu

function nf_subs_capabilities( $cap ) {
    return 'access_forms'; // EDIT: User Capability
}
/**
 * Filter hook used in the API route permission callback to retrieve submissions
 *
 * return bool as for authorized or not.
 */
add_filter( 'ninja_forms_api_allow_get_submissions', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_delete_submissions', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_update_submission', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_handle_extra_submission', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_email_action', 'nf_define_permission_level', 10, 2 );

function nf_define_permission_level() {
  
  $allowed = \current_user_can("access_forms");
  
  return $allowed;
};

Please note the company I work with do have licenses, but I feel this is a basic thing that needs to be made as clear as possible and Ninja Forms’ permissions/capabilities are very unclear (unlike Caldera Forms which we are soon having to switch from on a site with 15+ forms, which has per form capability settings, which would be an amazing feature to see).

Will you PLEASE check my code to see if I did something wrong (security wise etc) and if it is correct, please update your code in your documentation.

Last question, will per form permission be something we can ever see in Ninja Forms?

Thanks!

• This reply was modified 3 years, 1 month ago by whereverpanda.
• This reply was modified 3 years, 1 month ago by whereverpanda.

Same problem as @whereverpanda

Had to remove the bracket otherwise the site went down. After this editors can now see the submission page and select a form. But the page hangs. Have had to make a client an administrator to see submissions.

Hi,

I apologize, we had an extra ) in the snippet. We’ll get that updated. Here is the corrected code

function nf_define_permission_level() {
  
  $allowed = \current_user_can("nf_subs");
  
  return $allowed;
};

• This reply was modified 3 years, 1 month ago by Stuart Sequeira.
• This reply was modified 3 years, 1 month ago by Stuart Sequeira.

Hi there,

Thanks for that

So just to double check – is my code correct for user with capability access_forms and can it be used on a production site?

Thanks

• This reply was modified 3 years, 1 month ago by whereverpanda.

I implemented the code as follows on a client’s site and it does seem to work.

Will you please double check this code and confirm and let me know that it’s correct and secure? I think this will be of use to the entire community. It’s for users with the capability access_forms:

// Must use all three filters for this to work properly. 
add_filter( 'ninja_forms_admin_parent_menu_capabilities',   'nf_subs_capabilities' ); // Parent Menu
add_filter( 'ninja_forms_admin_all_forms_capabilities',     'nf_subs_capabilities' ); // Forms Submenu
add_filter( 'ninja_forms_admin_submissions_capabilities',   'nf_subs_capabilities' ); // Submissions Submenu

function nf_subs_capabilities( $cap ) {
    return 'access_forms'; // EDIT: User Capability
}
/**
 * Filter hook used in the API route permission callback to retrieve submissions
 *
 * return bool as for authorized or not.
 */
add_filter( 'ninja_forms_api_allow_get_submissions', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_delete_submissions', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_update_submission', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_handle_extra_submission', 'nf_define_permission_level', 10, 2 );
add_filter( 'ninja_forms_api_allow_email_action', 'nf_define_permission_level', 10, 2 );

function nf_define_permission_level() {
  
  $allowed = \current_user_can("access_forms");
  
  return $allowed;
};

Thank you!

The problem is that as of Ninja Forms > 3.6.1, they’ve moved away from using the WordPress Posts Editor (for the custom nf_sub post type) in favor of a new custom admin page for the submissions — and somehow neglected to detail this in the release notes.

For example, the old submissions page/editor was found at the url of /wp-admin/edit.php?post_type=nf_sub (initial page for listing all forms) OR /wp-admin/edit.php?post_status=all&post_type=nf_sub&form_id=#&nf_form_filter&paged=1 for a specific form (where # in the url is the ID related to the form)

This update now utilizes a custom admin page at the URL of /wp-admin/admin.php?page=nf-submissions (initial page for listing all forms) OR /wp-admin/admin.php?page=nf-submissions&form_id=# for a specific form.

Note that this new custom admin page for Ninja Forms Submissions actually utilizes ninja-forms-submissions/submissions/get REST API endpoint for populating this page with submission data, and the default requirements for accessing this endpoint rely on the user’s assigned role having the manage_options permission.

You can, however, override this behavior by use of some new filters, as you’ve mentioned above or as per: https://gist.github.com/New0/06d5b7664a8cfbb256a13bc68de0aa98#gistcomment-3931738

You could also install the User Role Editor plugin and modify whatever role you need to have this manage_options permission:

Another issue I ran into was in regards to some custom metaboxes that I’ve added to the submissions post editor (via add_meta_boxes actions) no longer work, due to the wordpress post editor no longer being utilized, and instead submissions are being loading in a custom “popup modal” editor — I’m developing my own work around for this currently, which is a bit “hacky” to say the least, but is the only way I can figure out how to do so unless a developer for Ninja Forms can shed light on how to customize the submission “modals” under this new admin page.

Hopefully this helps! It certainly threw me off last week and has taken me serveral days to adapt to this latest update of Ninja Forms (with development still ongoing) — after almost 5 years of it functioning great without any of these issues prior to this!

I would just like to say to the developers that changes of this magnatitude should always be detailed in the release notes, so that users aren’t left scratching thier heads as to why nothing is functional like it was prior to the latest update

• This reply was modified 3 years, 1 month ago by ouija.
• This reply was modified 3 years, 1 month ago by ouija.
• This reply was modified 3 years, 1 month ago by ouija.
• This reply was modified 3 years, 1 month ago by ouija.

@ouija Thank you for your support in this matter as well – I thought I was being a bit stupid by thinking this was a minor change and I was being a bit thick.
I noticed that the individual forms’ submission pages moved to /wp-admin/admin.php?page=nf-submissions&form_id=# which at least means I can send a user to a specific form using a URL which is needed when you don’t want users to see all forms and you don’t have per form access.

I really hope this is something they stick to and as you mentioned, inform users about in the release notes if something of this scale changes. I’m not a coder AT ALL so I generally rely on plugins and their stability, so hopefully this was an oversight on their part.

@stuartsequeira @jmcelhaney Can you please confirm that my code in my previous reply is correct? (here). It is working, but it is live on a client’s site and I need to know it’s secure.

Thank you!

@whereverpanda Yes, I checked that code to ensure it is correct.

@ouija You are right; I didn’t do a good enough job of letting developers and other site maintainers know about this change. We are dedicating this week to correcting such oversights and I’ll get working on some documentation. I do have some snippets and a class structure to display the metaboxes and will provide that. My apologies for the grief the rollout has caused you.

@stuartsequeira Thank you very much, Stuart!

@stuartsequeira All good! Documentation is a dev’s worst nightmare, and being one myself I can understand the oversight.

I look forward to seeing methods on how to add metaboxes to this new submissions page and the actual modals themselves; The method I’ve devised works but I’m not a huge fan of how I’m actually achieving this, so seeing how you’d suggest to go about this would be helpful.

Thanks!

@ouija There is now a topic called ‘Adding Metaboxes’ under the ‘Developing Add-Ons’

If there is anything that needs clarification, please reach out and I’d be happy to provide guidance and also update the documentation for everyone’s benefit.