Preserving Magic Links parameters on password-protected Views

When you protect a GravityView View with a password, WordPress displays its own password form before granting access. By default, this form does not keep URL parameters. That means if you share a Magic Link (for example, using gvid, gv_magic, gv_email, or edit parameters), those values are lost when the password form is submitted .

This guide explains how to add a code snippet that carries the Magic Link parameters through the password form so they remain available after the View is unlocked.

Why this is needed

Magic Links rely on URL parameters to identify and authenticate a specific entry or user.

If a View is password-protected, the user first sees WordPress’s password form. Without adjustments, the form submission drops those parameters — breaking Magic Link functionality.

Solution: add hidden inputs

We can use the the_password_form  filter in WordPress to insert hidden input fields into the password form. These fields capture the Magic Link parameters and send them along with the form submission.

Add the following snippet to your theme’s functions.php file or a custom functionality plugin:

<?php
/**
 * Preserve allow-listed URL parameters through password form redirect.
 *
 * This modifies the default WordPress password form (`the_password_form`) to add a
 * hidden `_wp_http_referer` input containing the current URL rebuilt with only the
 * allow-listed parameters. Since core redirects using `wp_safe_redirect( wp_get_referer() )`
 * and `wp_get_referer()` prefers `_wp_http_referer`, this ensures redirect includes
 * the parameters you care about.
 *
 * Allow-listed params:
 * - edit
 * - gvid
 * - gv_magic
 * - gv_email
 *
 * @since 1.0.0
 *
 * @param string $output The password form HTML output.
 * @return string Modified password form output with `_wp_http_referer` injected, or original output.
 */
add_filter( 'the_password_form', function( $output ) {
	$allow_list = [ 'edit', 'gvid', 'gv_magic', 'gv_email' ];

	// Pull only the allow-listed params that are present.
	$params = array_intersect_key( wp_unslash( $_GET ), array_flip( $allow_list ) );

	// Return early if none of the allow-listed parameters are set.
	if ( empty( $params ) ) {
		return $output;
	}

	// Build a referer URL pointing back to this page with just the allow-listed params.
	$referer_url  = add_query_arg( $params, site_url( $_SERVER['REQUEST_URI'] ) );

	$hidden_input = sprintf(
		'<input type="hidden" name="_wp_http_referer" value="%s" />' . "\n",
		esc_attr( $referer_url )
	);

	// Inject the hidden referer field before the closing </form>.
	return str_replace( '</form>', $hidden_input . '</form>', $output );
} );

Here's how to add code samples to your site.

How it works

  1. WordPress generates the password form when a protected post or View is loaded.
  2. The filter runs and adds hidden input fields for any supported parameters found in the URL.
  3. When the form is submitted, those parameters are preserved and passed along.
  4. GravityView then continues processing the Magic Link as intended.

✅ With this snippet in place, you can use Magic Links with password-protected Views; users will not lose access after entering the password.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us