Skip Navigation

Access Control for Standard and Custom Content Types in WordPress

Access allows you to control what different users can do in the WordPress admin and what they can read on the front-end. You can set access rules for user types and for specific users.

Editing access control for post types
Editing access control for post types

Access also manages user access to post field groups, Toolset forms, WPML, and WooCommerce.

Managing Access Control for Posts, Pages and Custom Post Types

Access controls for posts, pages, and custom post types look like this:

Access control for posts
Access control for posts

To allow Access to manage that content type, click on the Managed by Access checkbox at the top of each section and then on the Save button for that post type. Note that custom post type sections feature two additional options for managing their access control, as displayed in the following image.

Access control options for custom post types
Access control options for custom post types

The additional options are the following;

  • You can set the custom post type to use the same read permission as regular Posts.
  • You can use the default WordPress read permissions for the custom post type.

After selecting how the post type is managed, you can select the checkboxes to choose what operations different users can do. The ones selected by default are the standard WordPress permissions. The privileges that you can select are:

  • Read – read the content on the front-end
  • Edit own – create new content and edit the content that each user has created
  • Delete own – delete the content that each user has created
  • Edit any – edit content created by other users
  • Delete any – delete content created by other users
  • Publish – public content
  • Preview any – preview the content before it’s published

To grant privileges to specific users, click on the user icon and start typing the username in the dialog’s text field. Access will auto-complete and let you select users.Please note that when a static page is set as a Blog page on the WordPress Settings page, Access cannot apply permissions to that page, as it becomes an archive and is not a standard page anymore.

Access control for comments

The Access plugin allows you to control which comments user roles are able to moderate. The workflow is a bit different for standard Posts and custom post types.

Comments for the standard Posts type

To control permissions for moderating comments, you need to make sure to select that Posts are managed by Access. For a user role to be able to edit its own comments it needs to have the Publish and Edit own capabilities for Posts. For a user role to be able to edit all comments it needs to have the Publish and Edit any capabilities for Posts.

Comments for custom post types

To control permissions for moderating comments, you need to make sure to select that your custom post type and the standard Post and Pages are all managed by Access. For a user role to be able to edit its own comments it needs to have the Publish and Edit own capabilities for that custom post type and the standard Posts. For a user role to be able to edit all comments it needs to have the Publish and Edit any capabilities for that custom post type and the standard Posts.

Choosing what to Display When Read Access is Denied

The “read” privilege is specific. When you disallow reading, you can choose what to display for users without access.

Selecting default error display for all user roles

For any post type controlled by Access, you can select a default content to show when read access is denied.

Selecting what to display for archives for users without read permission
Selecting the default display when user access is denied

Selecting error display for a specific user role

You can also specify what to display when read access is denied for a specific user role. The icon to edit these options appears when you deselect the read permission for a given role.

Selecting what to display when a specific user role has no read access
Selecting what to display when a specific user role has no read access

Options for error display

When selecting what to display when a user has no read access, you can choose from the following options.

  • Default error, the one selected for all user roles.
  • A 404 page, indicating that this content does not exist.
  • The current page, displayed using a Content Template.

Selecting error display for archive pages

For custom post types, which do not include Pages and Media, you can also select what to display on the archive page for user roles without the read permissions. You can choose from the following options for archive pages:

  • Display the “No posts found” message.
  • Choose a different PHP template to render the contents. This option is available if the Toolset Blocks plugin are not active.
  • Choose a WordPress Archive to display the error. To see this option you need to have at least one WordPress Archive created with Toolset Blocks.
Selecting what to display for archives for users without read permission

Previewing what users without permission see

In the dialog box for selecting what users without permission see, there is a Preview error for POST_TYPE link. POST_TYPE is the name of the respective post type you are editing. Clicking it displays a page belonging to the Post type, and automatically “simulates” the selected user role and a post belonging to the related post type. Please note that the preview only works for administrators. Additionally, the related post type needs to have at least one existing post.

Managing Access Control to Taxonomy

Access control for taxonomy, including tags, categories and all custom taxonomy, looks like this:

Access control for categories
Access control for categories

Similarly to post types, to enable access management for taxonomy, you must click on the Managed by Access checkbox. Taxonomy access management includes another option, called “Same as Category”. When selected, the access rules are set according to the settings for WordPress built-in Categories. For example, it will mean that the taxonomy is available when categories are. Please note that this option is only available if the taxonomy belongs to a single post type, or all post types that have this taxonomy have the same access rules. The privileges that you can select for taxonomy are:

  • Manage terms – access the taxonomy terms list
  • Edit terms – edit any term
  • Delete terms – delete terms
  • Assign terms – assign terms to their respective post types

You can also grant taxonomy access privileges to specific users, by clicking the user icon and entering their names in the search text field.

Access permissions for feeds

The Access plugin features a new logic for controlling the WordPress feeds’ visibility on the front-end. The permissions you assign to the specific user role for a specific contents (post types) are also used to control the visibility of those contents in the feeds on the front-end. For example, if you restrict users with the role guest (i.e. the ones not logged in), not only will they be restricted from viewing certain contents on the front-end but those contents also will not appear for them in the feeds.

Updated
November 16, 2020