Disallowing a user to view and edit posts of other users in WordPress using roles and permissions

Target: imagine to have a WordPress site managed by many users, and you want that some users could only view and edit their own posts but you don’t want that those users could view or edit posts or pages created by other users.

Yes, you will say that WordPress already comes with some roles (such as Administrator, Editor, …) but not always they match with your needs, as in this case. So WordPress lets you create new roles with specific permissions (called capabilities).

The steps that we will follows are two: creating a new custom role and hiding posts (from the admin panel) published by other users.

Step 1. Create a new role with capabilities for posts, pages and custom post types

With the below code we create a new role Author with specific permissions for each post type:

  • Posts: publish, edit and delete allowed.
  • Pages: publish, edit and delete disallowed.
  • Books: publish, delete disallowed but edit allowed.
/*
 * New role with capabilities
 */
//remove_role('author'); // If you modify the capabilities uncomment this line to remove the role, then re-comment it

add_role('author', 'Author', array(
    'read'                    => true, // Allows access to Dashboard, Your Profile
    // Capabilities for Posts
    'publish_posts'           => true,
    'edit_posts'              => true, // Allows access to Posts, Comments
    'edit_published_posts'    => true,
    'delete_posts'            => true,
    'delete_published_posts'  => true,
    // Capabilities for Pages
    'publish_pages'           => false,
    'edit_pages'              => false, // Allows access to Pages
    'edit_published_pages'    => true,
    'delete_pages'            => false,
    'delete_published_pages'  => false,
    // Capabilities for CPT 'books'
    'publish_books'         => false,
    'edit_books'            => true, // Allows access to CPT
    'edit_published_books'  => true,
    'delete_books'          => false,
    'delete_published_books' => false,
    )
);

But WordPress by default doesn’t have capabilities for custom post types, so we need to mapping the built-in capabilities (posts and pages) for our CPT. The below code is an implementation of a customized function to create Custom Post Types, check it out. You only need to add the ‘capabilities’ attribute to the args array that will do the mapping and a fews lines again to add CPT capabilities to the Administrator role.

    ...

    // Arguments
    $args = array(
      ...
      'capabilities'  => array(
          // Mapping capabilities for CPT
          'edit_post'               => 'edit_'. $typeSingle,
          'read_post'               => 'read_'. $typeSingle,
          'delete_post'             => 'delete_'. $typeSingle,
          'edit_posts'              => 'edit_'. $typePlural,
          'edit_others_posts'       => 'edit_others_'. $typePlural,
          'publish_posts'           => 'publish_'. $typePlural,
          'read_private_posts'      => 'read_private_'. $typePlural,
          // These needs map_meta_cap to true
          'delete_posts'            => 'delete_'. $typePlural,
          'delete_private_posts'    => 'delete_private_'. $typePlural,
          'delete_published_posts'  => 'delete_published_'. $typePlural,
          'delete_others_posts'     => 'delete_others_'. $typePlural,
          'edit_private_posts'      => 'edit_private_'. $typePlural,
          'edit_published_posts'    => 'edit_published_'. $typePlural,
      ),
      'map_meta_cap'       => 'true'
    );

    // Gets the administrator role and add capabilities for CPT
    $admins = get_role( 'administrator' );

    $admins->add_cap('edit_'. $typeSingle);
    $admins->add_cap('read_'. $typeSingle);
    $admins->add_cap('delete_'. $typeSingle);
    $admins->add_cap('edit_'. $typePlural);
    $admins->add_cap('edit_others_'. $typePlural);
    $admins->add_cap('publish_'. $typePlural);
    $admins->add_cap('read_private_'. $typePlural);
    $admins->add_cap('delete_'. $typePlural);
    $admins->add_cap('delete_private_'. $typePlural);
    $admins->add_cap('delete_published_'. $typePlural);
    $admins->add_cap('delete_others_'. $typePlural);
    $admins->add_cap('edit_private_'. $typePlural);
    $admins->add_cap('edit_published_'. $typePlural); 

    ...
    

Step 2. Hide posts of other users

Paste the below code in your function.php and go with the magic! It checks the role of the logged user and if it isn’t an administrator it will shows only posts created by the current user.

function posts_for_current_author($query) {
  global $user_level;

  if($query->is_admin && $user_level <= 7) { // Valid for all users except the administrators
    global $user_ID;
    $query->set('author', $user_ID);
    unset($user_ID);
  }
  unset($user_level);

  return $query;
}
add_filter('pre_get_posts', 'posts_for_current_author');

Categories

Category BootstrapCategory CoffeescriptCategory DrupalCategory GravCategory HTMLCategory JavascriptCategory JoomlaCategory jQueryCategory LaravelCategory MagentoCategory PHPCategory SharePointCategory SpringCategory ThymeleafCategory WordPressCategory Workflow

Comments

Developed and designed by Netgloo
© 2017 Netgloo