WordPress Capabilities has always confused me, as you cannot allow granular access of certain roles to certain features. (Coming from a Drupal background)
I have the WordPress Carousel plugin installed and I am looking to allow the 'Editor' access to manage carousels, which seems like a reasonable option. But from looking within the plugin they have set permissions to the 'manage_options' capability. But I do not want the Editors to access to site-related options (e.g. Cache and other options they could break). Below is the code from the plugin which registers the post type.
What is the best way to allow the Editor permission to add/edit/delete carousel posts?
public function wp_carousel_post_type() {
if ( post_type_exists( 'sp_wp_carousel' ) ) {
return;
}
// Set the WordPress carousel post type labels.
$labels = apply_filters(
'sp_wp_carousel_post_type_labels',
array(
'name' => esc_html_x( 'All Carousels', 'wp-carousel-free' ),
'singular_name' => esc_html_x( 'WP Carousel', 'wp-carousel-free' ),
'add_new' => esc_html__( 'Add New', 'wp-carousel-free' ),
'add_new_item' => esc_html__( 'Add New Carousel', 'wp-carousel-free' ),
'edit_item' => esc_html__( 'Edit Carousel', 'wp-carousel-free' ),
'new_item' => esc_html__( 'New Carousel', 'wp-carousel-free' ),
'view_item' => esc_html__( 'View Carousel', 'wp-carousel-free' ),
'search_items' => esc_html__( 'Search Carousels', 'wp-carousel-free' ),
'not_found' => esc_html__( 'No Carousels found.', 'wp-carousel-free' ),
'not_found_in_trash' => esc_html__( 'No Carousels found in trash.', 'wp-carousel-free' ),
'parent_item_colon' => esc_html__( 'Parent Item:', 'wp-carousel-free' ),
'menu_name' => esc_html__( 'WP Carousel', 'wp-carousel-free' ),
'all_items' => esc_html__( 'All Carousels', 'wp-carousel-free' ),
)
);
// Set the WordPress carousel post type arguments.
$args = apply_filters(
'sp_wp_carousel_post_type_args',
array(
'labels' => $labels,
'public' => false,
'hierarchical' => false,
'exclude_from_search' => true,
'show_ui' => current_user_can( 'manage_options' ) ? true : false,
'show_in_admin_bar' => false,
'menu_position' => apply_filters( 'sp_wp_carousel_menu_position', 120 ),
'menu_icon' => WPCAROUSELF_URL . '/admin/js/wp-carousel-icon.svg',
'rewrite' => false,
'query_var' => false,
'supports' => array(
'title',
),
)
);
register_post_type( 'sp_wp_carousel', $args );
}
WordPress Capabilities has always confused me, as you cannot allow granular access of certain roles to certain features. (Coming from a Drupal background)
I have the WordPress Carousel plugin installed and I am looking to allow the 'Editor' access to manage carousels, which seems like a reasonable option. But from looking within the plugin they have set permissions to the 'manage_options' capability. But I do not want the Editors to access to site-related options (e.g. Cache and other options they could break). Below is the code from the plugin which registers the post type.
What is the best way to allow the Editor permission to add/edit/delete carousel posts?
public function wp_carousel_post_type() {
if ( post_type_exists( 'sp_wp_carousel' ) ) {
return;
}
// Set the WordPress carousel post type labels.
$labels = apply_filters(
'sp_wp_carousel_post_type_labels',
array(
'name' => esc_html_x( 'All Carousels', 'wp-carousel-free' ),
'singular_name' => esc_html_x( 'WP Carousel', 'wp-carousel-free' ),
'add_new' => esc_html__( 'Add New', 'wp-carousel-free' ),
'add_new_item' => esc_html__( 'Add New Carousel', 'wp-carousel-free' ),
'edit_item' => esc_html__( 'Edit Carousel', 'wp-carousel-free' ),
'new_item' => esc_html__( 'New Carousel', 'wp-carousel-free' ),
'view_item' => esc_html__( 'View Carousel', 'wp-carousel-free' ),
'search_items' => esc_html__( 'Search Carousels', 'wp-carousel-free' ),
'not_found' => esc_html__( 'No Carousels found.', 'wp-carousel-free' ),
'not_found_in_trash' => esc_html__( 'No Carousels found in trash.', 'wp-carousel-free' ),
'parent_item_colon' => esc_html__( 'Parent Item:', 'wp-carousel-free' ),
'menu_name' => esc_html__( 'WP Carousel', 'wp-carousel-free' ),
'all_items' => esc_html__( 'All Carousels', 'wp-carousel-free' ),
)
);
// Set the WordPress carousel post type arguments.
$args = apply_filters(
'sp_wp_carousel_post_type_args',
array(
'labels' => $labels,
'public' => false,
'hierarchical' => false,
'exclude_from_search' => true,
'show_ui' => current_user_can( 'manage_options' ) ? true : false,
'show_in_admin_bar' => false,
'menu_position' => apply_filters( 'sp_wp_carousel_menu_position', 120 ),
'menu_icon' => WPCAROUSELF_URL . '/admin/js/wp-carousel-icon.svg',
'rewrite' => false,
'query_var' => false,
'supports' => array(
'title',
),
)
);
register_post_type( 'sp_wp_carousel', $args );
}
- Keep in mind that 3rd party plugin dev support is off topic here – Tom J Nowell ♦ Commented Oct 21, 2020 at 10:07
1 Answer
Reset to default 0It would appear this plugin was written by a developer who was unaware of roles and capabilities.
Luckily the author passes their post type arguments through a filter named sp_wp_carousel_post_type_args, giving you the opportunity to override and add options, such as replacing the show_ui value and adding a capability array.