How to restrict specific post types from being read or added by specific user roles (eg. author)?

1 Views

I’m not very clear how to restrict admin area post types access to specific user roles.

In my case, I have some post type such as “suppliers” which I do not want to show to “authors”.

Read More

By default WP allows authors to browse, add or edit their own content. But I don’t want my authors to add a “supplier” or browse entries from other admins.

I’ve looked into WordPress code and the codex: http://codex.wordpress.org/Function_Reference/register_post_type

there seems to be a parameter in register_post_type( 'supplier', $args ), which I tried to define in $args as follows, among of course other variables which I don’t think I need to list here since my post type is working fine: 

     'capabilities'          => array( 'edit_others_posts' ),
     'map_meta_cap'          => true,

I haven’t fully understood the parameter "map_meta_cap" – I assumed that by indicating 'edit_others_posts' would have sufficed to bar access of ‘suppliers’ by simple authors (which cannot, in fact, edit other’s posts). I tested this and doesn’t work. Authors can still see all the “suppliers” content in the admin area and add a supplier as if it was a blog post.

How can I prevent authors (or any other specific user role or users without certain capabilities) to access and add content under specific custom post types I’ve created?

thank you

Post Views: 1

Related posts

Leave a Reply

1 comment

  1. For the solution to your question, In the register_post_type arguments, use the capability_type parameter & then grant the specific capabilities to the users. For instance, if you set 'capability_type' => 'supplier', grant the edit_supplier capability to all administrators only

    More Details

    capabilities takes an array of the capabilities in the format 'edit_post' => 'edit_supplier'

    This basically means that wherever the core code was using edit_post capability previously, now it will use edit_supplier (You’ll have to grant edit_supplier capability to all the users yourself including the administrators, wordpress doesn’t do that for you)

    if you didn’t provide the capabilities array & map_meta_cap is true, then wordpress will generate the default capabilities array from the capability_type value provided, like this

    [edit_post]      => "edit_{$capability_type}"
[read_post]      => "read_{$capability_type}"
[delete_post]        => "delete_{$capability_type}"
[edit_posts]         => "edit_{$capability_type}s"
[edit_others_posts]  => "edit_others_{$capability_type}s"
[publish_posts]      => "publish_{$capability_type}s"
[read_private_posts]     => "read_private_{$capability_type}s"
[delete_posts]           => "delete_{$capability_type}s"
[delete_private_posts]   => "delete_private_{$capability_type}s"
[delete_published_posts] => "delete_published_{$capability_type}s"
[delete_others_posts]    => "delete_others_{$capability_type}s"
[edit_private_posts]     => "edit_private_{$capability_type}s"
[edit_published_posts]   => "edit_published_{$capability_type}s"

    where {$capability_type} is the value you provided. If map_meta_cap is false, wordpress will ignore the capability_type parameter completely (or say consider it to be ‘post’ & then use map_meta_cap)