I am trying to setup a custom role, a restricted admin that does work on pages and content.
I have been able to setup a custom role using the Toolset Access module, but the user can access the "access" module and change the permissions back.
I have the check boxes for "access capabilities" off [per the attached image].
But the user can access the toolset access functions.
That's strange, what level is that user?
Is it a copy of "administrator" or of "guest"?
For example, guests cannot access that page, nor editors, but Administrators can.
It seems to me you copied over the Administrator and as you call it - restricted admin - started to remove capabilities to narrow down what it can do.
I checked and can confirm this, and I saw that the code relies on 3 options, one of which will simply remove all rights from your admin user, but if you do not remove that cap, then the other 2 caps wont' apply.
It's the "manage_options" cap.
The code says:
if ( !current_user_can('manage_options') && !current_user_can('access_change_post_group') && !current_user_can('access_create_new_group') ){
So - if the current user cannot manage options, cannot change post groups and not create any, then let them not create any.
Fine, but when you remove manage_options then the entire Toolset menu is inaccessible of course, so that is not what we want.
There is no solution to this issue right now.
I reported it as a BUG.
Thanks,
Yes I did a copy of the administrator.
Is there a work around ?
I escalated the problem to the developers.
Currently, a user needs manage_options rights to access Toolset > any tab
So, if you do not give users that right, they cannot use that tab
But, if you, for example, create a copy of a Subscriber and give him all rights to manipulate posts and create a Post as that user, and a post group (one at least) of an admin exists already, then that Subscriber Copy can add the post to that group, or unassign it, or even create a new group, from within the post edit screen only.
Note that there are several usability issues such as links, inviting the Subscriber Copy to edit those groups in Access, which is of course not possible due to missing manage_options.
So there will be usability issues, which we also will discuss and try to address in the ticket I escalated to the developers.
For now, those Subscriber Copy do not even need the capabilities you mention to be active for this to work as I describe above.
And activating them will have no effect whatsoever.
Hello, I wanted to know if you could solve the issue with the above message.
Please let me know if not, as I think I may not have been clear enough.
Please allow me to explain.
I have the check boxes for "access capabilities" off [per the attached image].
But the user can access the toolset access functions.
I confirm this, it is because the user has the manage options rights
To solve it, you can copy a subscriber instead, and increasingly give this subscriber more and more rights until it satisfies what the role should do.
This will avoid the user having admin capabilities, and with some flaws as described in my previous post related to Access, be able to manipulate post groups in a post.
The flaws will be subsequently solved in Toolset Access, but I have no ETA for this.
(please see the previous comment)
Please let me know if with above you can proceed towards your goal?
