Problem
I’m working on a website where we need to be able to put a username in the custom field of a custom post type, and allow the user specified to make changes to that post and only that post. I thought user_has_cap
would be the filter hook to use but weirdly it doesn’t seem to be allowing a user to update the post.
The user can see the edit screen for the post and only that post which implies my filter is working correctly, but clicking update gives the error You are not allowed to edit posts as this user.
which contradicts this.
The post type has capability_type => post
so I feel that shouldn’t be the issue.
Code
function event_cap_filter($all, $cap, $args) {
// if not requesting edit post then return caps
if('edit_post' != $args[0]) return $all;
// if user can already edit others posts then return caps
if($all['edit_others_posts']) return $all;
// if user is the post author then return caps
$post = get_post($args[2]);
if($args[1] == $post->post_author) return $all;
// query to find user in custom field
// and therefore if they are allowed to edit this post
if($can_edit) {
foreach($cap as $c) {
$all[$c] = true;
}
}
return $all;
}
add_filter('user_has_cap', 'event_cap_filter', 10, 3);
Question
If my user can edit the post where he is specified in the custom field I check for, why can he not save his changes? Am I overlooking something?
I think you are encountering a bug in
_wp_translate_postdata()
that makes it checkedit_others_posts
without providing any context formap_meta_cap
and other filters to use in situations like yours (where you want a user to be able to edit specific posts that aren’t theirs):https://core.trac.wordpress.org/ticket/30452#comment:5
It specifically has the effect that the affected user will be able to log into the post editor (implying it worked) but attempts to save changes will fail completely (which sounds like your problem).
The ticket includes a solution from Daniel Bachuber that others can likely convert for their own purposes.
Hopefully the bug is fixed soon.
I’ve been struggling with the same problem…when args[0] is publish, args[2] is not populated. You have to get it from the url.
I had a similar problem, needed to have a custom field to give specific people permission to edit some posts, pages and custom post types created by other users. I have an acf array field with users. Solved it getting the post id using $_POST[‘post_ID’] and the code below: