I have a custom post type, that can be editable by more than one user. Each post of that type has a field with the user ids who can edit it (kinda like co-authors). But since many users have permissions to the post, I am not sure how to prevent deletion by other users (not in the co-authors' list).

Right now the problem is only present in the REST API which is used to delete from the frontend.

Is there a pre delete hook in which I can check for permissions and block the deletion if the user is not allowed to delete that specific post?

I have a custom post type, that can be editable by more than one user. Each post of that type has a field with the user ids who can edit it (kinda like co-authors). But since many users have permissions to the post, I am not sure how to prevent deletion by other users (not in the co-authors' list).

Right now the problem is only present in the REST API which is used to delete from the frontend.

Is there a pre delete hook in which I can check for permissions and block the deletion if the user is not allowed to delete that specific post?

• rest-api
• permissions
• wp-delete-post

• Have you tried the pre_delete_post hook? developer.wordpress/reference/hooks/pre_delete_post – geouser Commented Oct 3, 2020 at 16:31
• you could also tackle this via the capability filters, avoiding needing to deal with anything REST API related at all – Tom J Nowell ♦ Commented Oct 3, 2020 at 16:32
• @geouser I have thought about it but did not know how to stop the deletion if need be – CaptainNemo Commented Oct 4, 2020 at 12:47
• @TomJNowell I am not sure how this can be done for every post has different authors. – CaptainNemo Commented Oct 4, 2020 at 12:48
• There are filters that let you do this on a per post basis – Tom J Nowell ♦ Commented Oct 4, 2020 at 13:48

1 Answer 1

pre_delete_post hook filters whether a post deletion should take place. So callback function must return a boolean value: true - whether to go forward with deletion, false - if not.

pre_trash_post hook filters whether a post trashing should take place. So callback function must return a boolean value: true - whether to go forward with trashing, false - if not.

add_filter( 'pre_delete_post', 'filter_function_name', 10, 2 );
add_filter( 'pre_trash_post', 'filter_function_name', 10, 2 );

function filter_function_name( $delete, $post ) {

    // You have a field with user IDs for the post, get them as array of IDs
    $authors = array(1, 2, 3);
    
    // Get current user ID, who attempts to delete the post
    $current_user_ID = get_current_user_id();
    
    // make a check if the current user ID is among the co-authors IDs
    if ( !in_array( $current_user_ID, $authors ) ) {
        // If so, return false to prevent post deletion
        return false;
    }
    
    // else do nothing, and return default value
    return $delete;
}