How to securely show an edit button only to the listing creator? Answered
Hey everyone, I'm struggling to find a solution for this one problem.
Users can post listings on the website, I need them to be able to edit them. I need a way to have a button that opens a form to edit it, but it can only be seen by the creator of the listing.
How do I go about that the safest way(so it's really hidden for other users, and not just display:hide; etc.)?
Thanks in advance!
Comments
5 comments
Hey Marko Guzvic, does removing the element via a script like this combined with the a script to check if the logged in member is the creator of the listing (you can add an attribute to the button and map the member ID from webflow CMS or any unique identifier that you store in Memberstack and CMS to identify the listing creator) help for your use-case?
If you truly want the safest way to protect private data and ensure it's only visible to the right users, you'll need to update your system architecture to include some form of backend logic.
A good option is using a backend-as-a-service like Xano, paired with Wized to manage the business logic. This setup allows you to securely store private content and enforce proper permissions. Relying only on frontend logic (like hiding elements with display: none) is risky. The data can still be accessed or manipulated through browser dev tools, since there’s no real security check happening behind the scenes.
That said, you can follow AJ’s workaround as a lighter solution. It hides or shows the form based on who’s logged in, using Webflow and Memberstack logic.
You can take it a step further by removing the form entirely from the DOM for unauthorized users, which adds a bit more security through obscurity, but keep in mind, it’s still not foolproof.
If you're using Make or Zapier to automate form submissions, I strongly recommend adding an extra validation step. For example, double-check that the entry was actually submitted by the user who owns the content. That way, even if someone bypasses the frontend, the automation won’t process invalid or unauthorized data.
A J Raquel Lopez Thank you both!
I'm surely going to have some validation steps in my automations.
Only selected users get access to the platform so as long as I verify them in MAKE it should be good!
Also Raquel, do you mind explaining what would "removing the form entirely from the DOM" mean?
Thank you a lot!
On page load, you can insert a function to check if the user is logged in and authorized to make changes, if the user is not you will remove the form like document.querySelector(yourForm).remove()
https://developer.mozilla.org/en-US/docs/Web/API/Element/remove
Got it, thank you!
Please sign in to leave a comment.