Allowing users to delete entries when using a Magic Link

By default, GravityView restricts certain capabilities to logged-in users. However, in some cases, you may want to let logged-out users perform actions: deleting their own entries when accessing a View through a Magic Link.

The gravityview/capabilities/allow_logged_out filter makes this possible. It gives you a way to override GravityView’s standard capability checks and selectively grant permissions to logged-out users when specific conditions are met, such as when Magic Link parameters are present.

Allow Magic Link users to delete their own entries. #

Add this snippet to allow Magic Link users to delete the entry as well. Here’s how to add this code.

/**
 * Filter whether logged-out users are allowed to perform certain GravityView capabilities.
 *
 * This filter allows users without an authenticated session to perform specific
 * delete-related actions when using Magic Links. Magic Links require the `gv_magic`
 * and `gv_email` URL parameters to be set, and the View must have Magic Links
 * enabled with user deletion allowed.
 *
 * @since 1.0.0
 *
 * @param bool       $allow_logged_out Whether logged-out users are currently allowed to perform the capability.
 * @param string[]   $caps_to_check    The list of capabilities being checked.
 * @param int|string $object_id        The object ID being checked against. May be empty.
 * @param int        $user_id          The user ID being checked. May be `0` for logged-out users.
 *
 * @return bool Whether logged-out users should be allowed to perform the capability.
 */
add_filter(
	'gravityview/capabilities/allow_logged_out',
	function( $allow_logged_out, $caps_to_check, $object_id, $user_id ) {
		// If already allowed, don't override.
		if ( $allow_logged_out ) {
			return $allow_logged_out;
		}

		// Check if we have magic link parameters.
		if ( ! isset( $_GET['gv_magic'] ) || ! isset( $_GET['gv_email'] ) ) {
			return $allow_logged_out;
		}

		// Check if this is a delete-related capability check.
		$delete_caps     = [ 'gravityforms_delete_entries', 'gravityview_delete_others_entries', 'read' ];
		$is_delete_check = false;

		foreach ( (array) $caps_to_check as $cap ) {
			if ( in_array( $cap, $delete_caps, true ) ) {
				$is_delete_check = true;
				break;
			}
		}

		if ( ! $is_delete_check ) {
			return $allow_logged_out;
		}

		// Get the view ID.
		$view_id = isset( $_GET['view_id'] ) ? absint( $_GET['view_id'] ) : 0;
		if ( ! $view_id && isset( $_GET['gvid'] ) ) {
			$view_id = absint( $_GET['gvid'] );
		}

		// If we're in a GravityView context, try to get view ID from there.
		if ( ! $view_id && function_exists( 'gravityview' ) && gravityview()->request ) {
			$view_id = gravityview()->request->is_view();
		}

		if ( $view_id ) {
			// Check if Magic Links is enabled for this View.
			$view = \GV\View::by_id( $view_id );
			if ( $view && ! empty( $view->settings->get( 'magic_link_enable' ) ) && ! empty( $view->settings->get( 'user_delete' ) ) ) {
				return true;
			}
		}

		return $allow_logged_out;
	},
	10,
	4
);

/**
 * Filter whether logged-out users are allowed to perform certain GravityView capabilities.
 *
 * This filter allows users without an authenticated session to perform specific
 * delete-related actions when using Magic Links. Magic Links require the `gv_magic`
 * and `gv_email` URL parameters to be set, and the View must have Magic Links
 * enabled with user deletion allowed.
 *
 * @since 1.0.0
 *
 * @param bool       $allow_logged_out Whether logged-out users are currently allowed to perform the capability.
 * @param string[]   $caps_to_check    The list of capabilities being checked.
 * @param int|string $object_id        The object ID being checked against. May be empty.
 * @param int        $user_id          The user ID being checked. May be `0` for logged-out users.
 *
 * @return bool Whether logged-out users should be allowed to perform the capability.
 */
add_filter(
	'gravityview/capabilities/allow_logged_out',
	function( $allow_logged_out, $caps_to_check, $object_id, $user_id ) {
		// If already allowed, don't override.
		if ( $allow_logged_out ) {
			return $allow_logged_out;
		}

		// Check if we have magic link parameters.
		if ( ! isset( $_GET['gv_magic'] ) || ! isset( $_GET['gv_email'] ) ) {
			return $allow_logged_out;
		}

		// Check if this is a delete-related capability check.
		$delete_caps     = [ 'gravityforms_delete_entries', 'gravityview_delete_others_entries', 'read' ];
		$is_delete_check = false;

		foreach ( (array) $caps_to_check as $cap ) {
			if ( in_array( $cap, $delete_caps, true ) ) {
				$is_delete_check = true;
				break;
			}
		}

		if ( ! $is_delete_check ) {
			return $allow_logged_out;
		}

		// Get the view ID.
		$view_id = isset( $_GET['view_id'] ) ? absint( $_GET['view_id'] ) : 0;
		if ( ! $view_id && isset( $_GET['gvid'] ) ) {
			$view_id = absint( $_GET['gvid'] );
		}

		// If we're in a GravityView context, try to get view ID from there.
		if ( ! $view_id && function_exists( 'gravityview' ) && gravityview()->request ) {
			$view_id = gravityview()->request->is_view();
		}

		if ( $view_id ) {
			// Check if Magic Links is enabled for this View.
			$view = \GV\View::by_id( $view_id );
			if ( $view && ! empty( $view->settings->get( 'magic_link_enable' ) ) && ! empty( $view->settings->get( 'user_delete' ) ) ) {
				return true;
			}
		}

		return $allow_logged_out;
	},
	10,
	4
);

Allowing users to delete entries when using a Magic Link

Allow Magic Link users to delete their own entries. #

How can we help?

Was this page helpful?