fields = array(
'_post_title' => array(
'prefix' => 'acf',
'name' => '_post_title',
'key' => '_post_title',
'label' => __( 'Title', 'acf' ),
'type' => 'text',
'required' => true,
),
'_post_content' => array(
'prefix' => 'acf',
'name' => '_post_content',
'key' => '_post_content',
'label' => __( 'Content', 'acf' ),
'type' => 'wysiwyg',
),
'_validate_email' => array(
'prefix' => 'acf',
'name' => '_validate_email',
'key' => '_validate_email',
'label' => __( 'Validate Email', 'acf' ),
'type' => 'text',
'value' => '',
'wrapper' => array( 'style' => 'display:none !important;' ),
),
);
return $this->fields;
}
/**
* description
*
* @type function
* @date 28/2/17
* @since 5.5.8
*
* @param $post_id (int)
* @return $post_id (int)
*/
function validate_form( $args ) {
// defaults
// Todo: Allow message and button text to be generated by CPT settings.
$args = wp_parse_args(
$args,
array(
'id' => 'acf-form',
'post_id' => false,
'new_post' => false,
'field_groups' => false,
'fields' => false,
'post_title' => false,
'post_content' => false,
'form' => true,
'form_attributes' => array(),
'return' => add_query_arg( 'updated', 'true', acf_get_current_url() ),
'html_before_fields' => '',
'html_after_fields' => '',
'submit_value' => __( 'Update', 'acf' ),
'updated_message' => __( 'Post updated', 'acf' ),
'label_placement' => 'top',
'instruction_placement' => 'label',
'field_el' => 'div',
'uploader' => 'wp',
'honeypot' => true,
'html_updated_message' => '
', // 5.5.10
'html_submit_button' => '', // 5.5.10
'html_submit_spinner' => '', // 5.5.10
'kses' => true, // 5.6.5
)
);
$args['form_attributes'] = wp_parse_args(
$args['form_attributes'],
array(
'id' => $args['id'],
'class' => 'acf-form',
'action' => '',
'method' => 'post',
)
);
// filter post_id
$args['post_id'] = acf_get_valid_post_id( $args['post_id'] );
// new post?
if ( $args['post_id'] === 'new_post' ) {
$args['new_post'] = wp_parse_args(
$args['new_post'],
array(
'post_type' => 'post',
'post_status' => 'draft',
)
);
}
// filter
$args = apply_filters( 'acf/validate_form', $args );
// return
return $args;
}
/**
* description
*
* @type function
* @date 28/2/17
* @since 5.5.8
*
* @param $post_id (int)
* @return $post_id (int)
*/
function add_form( $args = array() ) {
// validate
$args = $this->validate_form( $args );
// append
$this->forms[ $args['id'] ] = $args;
}
/**
* description
*
* @type function
* @date 28/2/17
* @since 5.5.8
*
* @param $post_id (int)
* @return $post_id (int)
*/
function get_form( $id = '' ) {
// bail early if not set
if ( ! isset( $this->forms[ $id ] ) ) {
return false;
}
// return
return $this->forms[ $id ];
}
function get_forms() {
return $this->forms;
}
/**
* This function will validate fields from the above array
*
* @type function
* @date 7/09/2016
* @since 5.4.0
*
* @param $post_id (int)
* @return $post_id (int)
*/
function validate_save_post() {
// register field if isset in $_POST
foreach ( $this->get_default_fields() as $k => $field ) {
// bail early if no in $_POST
if ( ! isset( $_POST['acf'][ $k ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Verified elsewhere.
continue;
}
// register
acf_add_local_field( $field );
}
// honeypot
if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
acf_add_validation_error( '', __( 'Spam Detected', 'acf' ) );
}
}
/**
* description
*
* @type function
* @date 7/09/2016
* @since 5.4.0
*
* @param $post_id (int)
* @return $post_id (int)
*/
function pre_save_post( $post_id, $form ) {
// vars
$save = array(
'ID' => 0,
);
// determine save data
if ( is_numeric( $post_id ) ) {
// update post
$save['ID'] = $post_id;
} elseif ( $post_id == 'new_post' ) {
// merge in new post data
$save = array_merge( $save, $form['new_post'] );
} else {
// not post
return $post_id;
}
// phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
// Always extract the special _post_title / _post_content fields from $_POST['acf'] so they
// cannot leak into acf_update_values() downstream, but only apply them to the post when the
// form was rendered with the corresponding option enabled (mirrors render_form()).
if ( isset( $_POST['acf']['_post_title'] ) ) {
$post_title = acf_extract_var( $_POST['acf'], '_post_title' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.
if ( ! empty( $form['post_title'] ) ) {
$save['post_title'] = $post_title;
}
}
if ( isset( $_POST['acf']['_post_content'] ) ) {
$post_content = acf_extract_var( $_POST['acf'], '_post_content' ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Sanitized by WP when saved.
if ( ! empty( $form['post_content'] ) ) {
$save['post_content'] = $post_content;
}
}
// phpcs:enable WordPress.Security.NonceVerification.Missing
// honeypot
if ( ! empty( $_POST['acf']['_validate_email'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Data not used; presence indicates spam.
return false;
}
// validate
if ( count( $save ) == 1 ) {
return $post_id;
}
// save
if ( $save['ID'] ) {
wp_update_post( $save );
} else {
$post_id = wp_insert_post( $save );
}
// return
return $post_id;
}
/**
* This function will enqueue a form
*
* @type function
* @date 7/09/2016
* @since 5.4.0
*
* @param $post_id (int)
* @return $post_id (int)
*/
function enqueue_form() {
// check
$this->check_submit_form();
// load acf scripts
acf_enqueue_scripts();
}
/**
* This function will maybe submit form data
*
* @type function
* @date 3/3/17
* @since 5.5.10
*
* @param n/a
* @return n/a
*/
function check_submit_form() {
// Verify nonce.
if ( ! acf_verify_nonce( 'acf_form' ) ) {
return false;
}
// Confirm form was submit.
if ( ! isset( $_POST['_acf_form'] ) ) {
return false;
}
// Load registered form using id.
$form = $this->get_form( acf_sanitize_request_args( $_POST['_acf_form'] ) );
// Fallback to encrypted JSON.
if ( ! $form ) {
$form = json_decode( acf_decrypt( sanitize_text_field( $_POST['_acf_form'] ) ), true );
if ( ! $form ) {
return false;
}
}
$form = $this->merge_form_meta( $form );
// Run kses on all $_POST data.
if ( $form['kses'] && isset( $_POST['acf'] ) ) {
$_POST['acf'] = wp_kses_post_deep( $_POST['acf'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- False positive.
}
// Validate data and show errors.
// Todo: Return WP_Error and show above form, keeping input values.
acf_validate_save_post( true );
// Submit form.
$this->submit_form( $form );
}
/**
* This function will submit form data
*
* @type function
* @date 3/3/17
* @since 5.5.10
*
* @param n/a
* @return n/a
*/
function submit_form( $form ) {
// filter
$form = apply_filters( 'acf/pre_submit_form', $form );
// vars
$post_id = acf_maybe_get( $form, 'post_id', 0 );
// add global for backwards compatibility
$GLOBALS['acf_form'] = $form;
// allow for custom save
$post_id = apply_filters( 'acf/pre_save_post', $post_id, $form );
// Restrict $_POST['acf'] to the field keys the form actually exposed, so the
// save path cannot accept values for fields the form did not render.
// phpcs:disable WordPress.Security.NonceVerification.Missing -- Verified in check_submit_form().
if ( isset( $_POST['acf'] ) && is_array( $_POST['acf'] ) ) {
$allowed_keys = $this->get_allowed_field_keys( $form );
$_POST['acf'] = array_intersect_key( $_POST['acf'], array_flip( $allowed_keys ) ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash -- Sanitized downstream; save pipeline expects slashed input.
}
// phpcs:enable WordPress.Security.NonceVerification.Missing
// save
acf_save_post( $post_id );
// restore form (potentially modified)
$form = $GLOBALS['acf_form'];
// action
do_action( 'acf/submit_form', $form, $post_id );
// vars
$return = acf_maybe_get( $form, 'return', '' );
// redirect
if ( $return ) {
// update %placeholders%
$return = str_replace( '%post_id%', $post_id, $return );
$return = str_replace( '%post_url%', get_permalink( $post_id ), $return );
// redirect
wp_redirect( $return ); //phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect -- unsafe redirects allowed.
exit;
}
}
/**
* Returns the per-request render ID, generating one if necessary.
*
* @since 6.8.4
*
* @return string
*/
protected function get_render_id(): string {
if ( $this->render_id === null ) {
$this->render_id = wp_generate_uuid4();
}
return $this->render_id;
}
/**
* Folds metadata from `_acf_form_meta[]` inputs into the primary form
* configuration so the multi-`acf_form()`-in-one-outer-`
form_front = new acf_form_front();
endif; // class_exists check
/**
* Functions
*
* alias of acf()->form->functions
*
* @type function
* @date 11/06/2014
* @since 5.0.0
*
* @param n/a
* @return n/a
*/
function acf_form_head() {
acf()->form_front->enqueue_form();
}
function acf_form( $args = array() ) {
acf()->form_front->render_form( $args );
}
function acf_get_form( $id = '' ) {
return acf()->form_front->get_form( $id );
}
function acf_get_forms() {
return acf()->form_front->get_forms();
}
function acf_register_form( $args ) {
acf()->form_front->add_form( $args );
}
?>