Subscribers (Users) are able to create Chargeable Events for free via admin panel.
Hi,
I found find a security issue with the Vantage Theme.
Users who have the "subscriber" role are able to create events via the "
wp-admin" section. I'm aware that vantage does not have any links on the front end which navigates the user to the "
wp-adimn" page but It can still be accessed by typing in the URL "http://www.yoursite.com/
wp-admin".
I'm sort of ok with a user or "trouble maker" with the Subscriber role having access to the "
wp-admin" but I'm not ok with them creating events through wordpress's admin panel.
EG:
For
Listings, when a user clicks the "
Add New" button in the wordpress Listings admin panel they are redirected to the /create-listing/ page on the front end. This is excellent!
http://www.yoursite.com/wp-admin/pos...t_type=listing -->
http://www.yoursite.com/create-listing/
However, for
Events if they click the "Add New" button they are shown the "post-new.php?post_type=event" page. Can it be so that we can redirect the user to
http://www.yoursite.com/create-event/ instead?
Or better yet, for any user who has the subscriber role, can we redirect them from "
wp-admin" to their dashboard -
http://www.yoursite.com/dashboard/
Sam
You must be an AppThemes customer and logged in to view this response.