Permission question regarding roles

  • jaspash

    (@jaspash)


    3 months, 1 week ago

    Hello,

    I created a custom role “my_role” and a custom post type “my_custom_type”.

    Then, I add these permissions to the custom role:

    $role = get_role('my_role');
    $role -> add_cap('read_my_role');
    $role -> add_cap('edit_my_role');
    $role -> add_cap('publish_my_role');
    $role -> add_cap('read_private_alumno');
    // $role -> add_cap('edit_others_my_role');
    $role -> add_cap('edit_published_my_role');
    $role -> add_cap('delete_published_my_role');
    $role -> add_cap('delete_private_my_role');

    Here my needs:

    1 – User with “my_role” assigned should be able to create, publish and delete their own posts. This is working fine.

    2 – User with “my_role” assigned should be able to View ONLY their own posts. This is not working. This user is able to View the post created by other users.

    I tried removing this line, but not working:

    $role -> add_cap('read_my_role');

    What I am missing here?

    Please, let me know.

    Regards,

    • This topic was modified 3 months, 1 week ago by jaspash.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Mustafa Bharmal

    (@mustafabharmal)

    3 months, 1 week ago

    This issue occurs because the old role data is stored in the database (wp_user_roles option).
    To fix it, first remove the existing role, then recreate it cleanly:

    // Step 1: Remove old role (run once)
    remove_role('my_role');

    Then run your code block again. I hope it will work.

    Thread Starter jaspash

    (@jaspash)

    3 months, 1 week ago

    Hello @mustafabharmal,

    I already did it using the ‘register_deactivation_hook’ but not working.

    register_deactivation_hook( __FILE__ , 'ia_remove_role');
    function ia_remove_role(){
    	remove_role('my_role');
    }
    • This reply was modified 3 months, 1 week ago by jaspash.
    Mustafa Bharmal

    (@mustafabharmal)

    3 months, 1 week ago

    Then I would suggest you to deactivate the plugin and activate it again. I hope It will solve the problem.

    Moderator bcworkz

    (@bcworkz)

    3 months, 1 week ago

    I think the issue is more about WP’ fundamental nature of handling posts. By default everyone gets “view” cap and all posts are viewable once published. You need to fight against WP’ fundamental behavior to enable viewing only one’s own posts.

    There ought to be a way by registering your post_type with 'map_meta_cap' => false, and assigning appropriate caps. However, I’ve always had trouble managing custom caps this way.

    There is another way if you too struggle with custom caps. If a posts query fails to find certain posts, no one will be able to view them. Thus you could modify my_custom_type post queries to simply only get one’s own posts and no others. Your logic here wouldn’t even need to involve custom caps at all, though checking user caps would be more logical none the less. Use the “pre_get_posts” action to modify post queries. If the query is for my_custom_type, and if the user has the right cap but is not an admin or editor, set the “author” query var to the current user’s ID. Only their own posts will be returned. Should work for both front and back end queries.

    Thread Starter jaspash

    (@jaspash)

    3 months, 1 week ago

    Hello @bcworkz

    I think that the “pre_get_posts” approach could be a good idea to try. Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.