About the `secret` shortcode attribute

With WordPress shortcodes used to display Gravity Forms data, there's a risk that unauthorized users may guess feed IDs, gaining access to data they shouldn't see. In environments where users have varying levels of access and permissions, additional security is needed.

The need for the secret attribute

We introduced the secret attribute to mitigate unauthorized access risks. By requiring a secret key that is only known to users with the capability to create or edit feeds, we add an additional layer of security. This is a type of password that prevents unauthorized users from guessing the feed ID and accessing potentially-sensitive feed data.

Implementation details

If the feed is secured, and the secret used in a shortcode or block does not match the feed settings, the shortcode will not be displayed.

This functionality requires modifications to both the shortcode handling mechanism and the feed data access control logic. It involves:

  1. Extending the shortcode definition to include the secret attribute.
  2. Implementing a capability check within the shortcode rendering function to verify if the user has the required permissions.
  3. Ensuring that the secret key is securely generated and managed, ideally being unique to each feed and difficult to guess.

Transitioning to secure shortcodes

With the introduction of the secret attribute to shortcodes, we aim to bolster security without disrupting existing functionality. Here's a concise overview of how we're handling this transition:

  • Current Shortcodes Unchanged: Existing shortcodes will continue to operate as before, ensuring no immediate impact on your content.
  • Security by Default for New Feeds: For new feeds, the secret attribute will be enabled by default, automatically enhancing security by restricting access based on user capabilities.
  • Opt-in for Enhanced Security: Existing feeds can opt into this enhanced security feature by enabling the "Enable security" setting. Once enabled, all existing embeds of the shortcode or block will stop working until they are updated with the new shortcode. This process is manual.
A screenshot of the
Security enabled for a GravityCalendar feed.

Conclusion

The introduction of the secret attribute to our shortcode implementation reflects our commitment to continually improving security. It ensures that sensitive feed data is only accessible to users with the appropriate permissions, thereby protecting the data from unauthorized access.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us