Subscriber able to export Events RSVP

Hi. Please see screenshot - it's of a logged in Subscriber. They're not able to edit or delete Events they did not create (which is a good thing) BUT they are able to click on export - to export all the details of people who have RSVP'd. How can I disable this please? Thanks!

  • Vaughan

    Hi SAPeople

    Hope you're well?

    I can confirm this on my own site.

    It's not quite a bug, but more of an oversight perhaps.

    To fix this, you will need to edit the plugin code.

    Open up & edit the following file:

    /wp-content/plugins/events-and-bookings/events-and-bookings.php

    Find the following on or around lines 1301 - 1304

    echo ' ';
    				echo '<a class="button" href="' . admin_url('index.php?eab_export=attendees&event_id='. $event->get_id()) . '" class="eab-export_attendees">' .
    					__('Export', self::TEXT_DOMAIN) .
    				'</a>';

    Replace with:

    $post_type_object = get_post_type_object($post->post_type);
                    if(current_user_can($post_type_object->cap->edit_post, $event->get_id()) && 'trash' != $post->post_status) {
    				echo ' ';
    				echo '<a class="button" href="' . admin_url('index.php?eab_export=attendees&event_id='. $event->get_id()) . '" class="eab-export_attendees">' .
    					__('Export', self::TEXT_DOMAIN) .
    				'</a>';
                    }

    Hopefully now, only those with edit permissions for that event will see the export button.

    Please be aware, that you will need to make these changes again whenever the plugin is updated. I have added this to the features list though for the developers to consider in a future update.

    Hope this helps