[Resolved] How to grant/revoke access in front-end for a specific user to a specific post
This support ticket is created 3 years, 5 months ago. There's a good chance that you are reading advice that it now obsolete.
This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.
Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.
No supporters are available to work today on Toolset forum. Feel free to create tickets and we will handle it as soon as we are online. Thank you for your understanding.
Hi Toolset Support, I struggle to find out how I can use Toolset Access to realize the following:
I have a CPT (A) with a one-to-many relationsship with another CPT (B). I want to be able to grant/revoke accesses for specific user(s) - to work with CPT (A) and the related CPT (B) posts. This should be able to be done from the from front-end - and only by users with a specific role. In the CPT (A) and CPT (B) the access should be granted on the Custom Field-Groups within the CPT.
Example:
An "Incident" dispatcher/delegation feature: Users with the custom role: "Manager" can from the front-end grant the User Id: "ABC123" and "DEF789" the ability to work with a specific "Incident" (CPT A, post-Id: 12) and all the related "activities" (CPT B posts related to CPT A, post-Id: 12). The resolvers (User: ABC123 and DEF789) should not be able to see/work with any other incidents.
My initial thoughts regarding a solution is:
- CPT A "Incident"
- CPT B "Activities"
- one-to-many relation between A and B (Many activities for exact one incident).
- many-to-many relation from User to CPT A to address "delegation" (relationsship maintained by users with custom "Manager"-role )
What is missing is the technical authorization to allow/disallow users to work with CPT A+B (Incidents and Activities). It should not to be able for users to access posts they are not allowed to work with e.g. by changing data directly in URL.
Another problem in my initial idea is the many-to-many Relationsship between Users and Incidents (CPT A). As far as I can see it is not possible to define a Relationship with a User form.
Thank you for getting in touch.
I want to be able to grant/revoke accesses for specific user(s) - to work with CPT (A) and the related CPT (B) posts. This should be able to be done from the from front-end - and only by users with a specific role.
Unfortunately with our Access plugin you won't be able to restrict the posts per a user by user base. You can only restrict based on the user's role which would apply to all other users having that role.
<Em>This should be able to be done from the from front-end - and only by users with a specific role.
It is possible to do with specific user roles given that the permissions will apply to all the users under that role. However you will need to set these permissions on the backend.
Also based on your example you want to be able to allow your user role for Manager to set the permissions from the frontend, which is not possible to do.
Another problem in my initial idea is the many-to-many Relationsship between Users and Incidents (CPT A). As far as I can see it is not possible to define a Relationship with a User form.
That is correct you can't relate users to a post. You can only relate posts to posts.
I understand now that:
- it's only possible to build relations between posts in Toolset Access
- Toolset Access cannot control the accesses on individual posts in a CPT.
The workaround I now consider is:
- create a list of users in a new CPT
- create a many-to-many relation between Users and Incidents: what users are allowed to work with which incidents (delegation)
- the delegation can be maintained in front-end by authorised roles (the manager-role)
- programmetically create an enhancement using the Toolset Access API Filter (toolset_access_api_get_post_permissions) to contol the permissions when working with individual posts (Incidents and Activities) - this should be done by doing lookups in the Delegations-relation
The workaround I now consider is:
- create a list of users in a new CPT
- create a many-to-many relation between Users and Incidents: what users are allowed to work with which incidents (delegation)
- the delegation can be maintained in front-end by authorised roles (the manager-role)
- programmetically create an enhancement using the Toolset Access API Filter (toolset_access_api_get_post_permissions) to contol the permissions when working with individual posts (Incidents and Activities) - this should be done by doing lookups in the Delegations-relation
I see what you mean now, so you're proposing to use a Many to Many relationship to accomplish this. In a way you'll have your managers assign the User's Profile CPT to the respective Incidents and from there when a user views their profile they can see what incidents were assigned to them.
This is definitely possible and would work. It will also allow your managers to assign the indicidents using the frontend relationship form.
