By Rick Curran


2011-09-20 16:32:01 8 Comments

I'm trying to implement what seemed like a relatively straight forward idea, basically I am building an access control plugin to control viewing and editing of a custom post type (in this case 'Projects').

How I intend for it to work is that there are multiple users who either have read-only access or read/write access to specific 'Projects'.

There are multiple Projects in the system and read access is controlled by enabling checkboxes for the specific Projects within the User Profile settings on the site (shown below):

Additional edit options added to User Options

So you assign access to these Projects via this interface then code on the actual Projects page restricts the content from being viewed if the ID of the Project does not match any of the IDs of the checked Projects.

That is all working fine, however, I need to also allow edit capabilities in the same way. So I could enable a user to read a specific page but also to edit that specific page. The problem I am having is that what I'm after doesn't seem to fit into the regular Roles and Capabilities as basically I just want all users to have the same Role (basically just the Subscriber Role). But I want to add edit capability to a specific user for a specific page, whereas Roles are generally about adding Capabilities to a 'type' of user.

Hopefully I've managed to explain what I'm trying to here, I'm struggling to find the correct code / function for doing this although I'm sure it must be possible as there are Plugins out there that can enable access to specific pages etc, but obviously in this case I don't want to rely on a plugin as what I'm building is a plugin itself!

Update: I've persevered further trying to resolve this, but so far I still can't see how to enable access to specific posts / pages etc without resorting to creating a custom-role / capability for each specific page, but this seems a bit overkill and I'm not even sure that would work.

Update 2: I've added a bounty to this question now to hopefully inspire someone! ;) I've looked further into this but even though I've found other plugins that seem to be capable of what I need (along with loads of other features I don't need!) I just haven't managed to figure out what code is required to restrict specific instances of a post type to a specific user.

Update 31st Oct: I've been able to get something running thanks to the code that @alexey posted. I now have two lists of IDs, one of which controls Read access and one for Edit access. I'm using current_user_can('read_projects') to limit viewing of the page content, however, I've got a problem in it takes two page loads before it actually restricts the content. The first time I click on a page the content shows, but if I reload the page then the content is hidden correctly. It seems to be something to do with the timing of when user_has_cap is being triggered but I can't seem to track anything down, as far as I can tell this should be triggered before the page content is rendered. I'm not going to post any further code here in this update as if there's no simple reason why this isn't working then I'd be better posting a new question rather than continuing this one.

1 comments

@Alexey 2011-10-01 09:12:44

I can suggest another method.

First of all: grant full access to projects post type (Example).

At the user profile add allowed posts' id.

Then use below filter to restrict access if post id isn't allowed.

function allow_user_to_edit_cpt_filter( $capauser, $capask, $param){

    global $wpdb;

    $allowed_posts_id_for_current_user = array( '29', '30' ); // you need to get these ids yourself
    $post = get_post( $param[2] );

    // If current post isn't allowed then delete edit and delete capabilities
    if( !in_array( $post->ID, $allowed_post_type_ids ) ){
        if( ( $param[0] == "edit_projects") || ( $param[0] == "delete_projects" ) ) { // Change to yours capabilities
            foreach( (array) $capask as $capasuppr) {
               if ( array_key_exists($capasuppr, $capauser) ) {
                  $capauser[$capasuppr] = 0;
               }
            }
        }
    }

    return $capauser;
}
add_filter('user_has_cap', 'allow_user_to_edit_cpt_filter', 100, 3 );

@Alexey 2011-10-03 11:40:48

@Rick, was it useful?

@Rick Curran 2011-10-03 13:31:15

Thanks for that, apologies for slow response but I couldn't back online to check until just now. I haven't tried it out yet, is this going to enable / disable access on individual posts? Basically if the ID is in the allowed array then edit capability remains for that user for the allowed post id's but edit capability is removed for all other posts? And this disabling happens as the user views the posts? (Viewed in the site or viewed in the Admin?) – Thanks again!

@Alexey 2011-10-03 21:10:55

Welcome back online, @Rick ) Basically if the ID is in the allowed array then edit capability remains for that user for the allowed post id's but edit capability is removed for all other posts? Yes. And this disabling happens as the user views the posts? (Viewed in the site or viewed in the Admin? in the Admin.

@Rick Curran 2011-10-06 16:56:50

Thanks, this looks like this should get me to where I'm trying to get! I will update with full details once I get it working. I'm planning on making the plugin available once I've got it functional. Thanks again for your help!

@Alexey 2011-10-06 17:36:46

You are welcome @Rick. Keep us informed.

@Rick Curran 2011-10-31 12:28:43

My apologies for the big gap since my last reply, due to other work projects I wasn't able to give this much attention until this last week or so. I've basically been able to get something running based on the code you posted but am encountering a problem, I've edited the question and added more details so if you have any thoughts on what could be the issue that would be great! Thanks again for your help with this.

@fdrv 2016-04-08 06:29:37

change $allowed_post_type_ids to $allowed_posts_id_for_current_user =)

@fdrv 2016-04-08 08:28:17

But it doesn't work if if manualy go to the url wp-admin/post.php?post= 29&action=edit

Related Questions

Sponsored Content

1 Answered Questions

1 Answered Questions

1 Answered Questions

Buddy Press restrict the capability to edit users

4 Answered Questions

[SOLVED] Capability to edit own posts and not others

1 Answered Questions

[SOLVED] Restrict custom post content to specific user

1 Answered Questions

[SOLVED] Custom Post Types - Capability Type

1 Answered Questions

[SOLVED] Define new user capability for custom post types?

Sponsored Content