I would suggest having a generic form that can be completed by the public on the front end. The submission of the form would would generate the post, saving a random string in its meta data (the password), and send an email containing a link to /?p=PAGEID&post_id=THE_POST_ID&pw=THE_PASSWORD. THE_POST_ID and THE_PASSWORD are those values from the post generated, and the PAGEID is a page you created that contains shortcode to handle the editing. Not to get too far into detail, but your shortcode would be something like this:
add_shortcode('viktor_edit_post', function() {
// Sanitize
$_REQUEST['post_id'] = absint($_REQUEST['post_id']);
// Validate
if(empty($_REQUEST['post_id'])
|| get_post_status($_REQUEST['post_id']) === FALSE
|| get_post_meta($_REQUEST['post_id'], 'pw', TRUE) !== $_REQUEST['pw']
) {
// I would suggest echoing the public form here and handling its submission
// here as well. I think it would be preferable as you need not hard-code
// the PAGEID because this shortcode sits on that page. You could get it by way
// of the global $page (as done below).
return;
}
// If edit submission, update.
if(wp_verify_nonce('viktor_nonce_'.$_REQUEST['post_id'], 'viktor_check')
&& isset($_REQUEST['new_post_content'])
) {
wp_update_post(array(
'ID' => $_REQUEST['post_id'],
'post_content' => sanitize_textarea_field($_REQUEST['new_post_content']);
));
}
// Display edit form
global $post;
?><form action='/?p=<?= $post->ID ?>' method='POST'>
<?php wp_nonce_field('viktor_check', 'viktor_nonce_'.$_REQUEST['post_id'], FALSE); ?>
<input type="hidden" name="post_id" value="<?= $_REQUEST["post_id'] ?>'>
<input type="hidden" name="pw" value="<?= $_REQUEST["pw'] ?>'>
<p><?= sprintf(
__('Please make changes as you see fit to %s.'),
get_the_title($_REQUEST['post_id']),
) ?></p>
<textarea name="new_post_content"><?= get_the_content(NULL, FALSE, $_REQUEST['post_id']) ?></textarea>
<?php submit_button('Save'); ?>
</form><?php
});
The deal here is that you’re not messing around with capabilities, which control the users of your site. As you want to deal with non-users as well, I think a simple shortcode plugin is the way to go.