I am trying to limit a custom post type to only be accessible on the front-end by the author of the post. The custom post type is called 'Receipts', so as you an imagine, it is a receipt of an order. I use an external process to add the post + post meta, and that works fine. The author is also set correctly to match the user who paid for their subscription. The problem comes in that although the view is filtered in their members dashboard to only show their receipts, if they were given the link to another users receipt, they could see it.
Ideally only Administrators (or another role I set) and the author of the post should be able to view their invoice.
I did some checks on this and it seems there isn't a way to restrict the users to not be able to access other users pages.
Since the user gets a general role, it doesn't apply the roles to the individual users.
I know you can only allow the current user's post to only show up with views but you're not able to restrict them from accessing the other user's posts if they get a direct link.
Some custom coding will need to be used to achieve something this specific.
Thanks for that -- any thoughts from you or your team on an approach to this? It'd be great if I could request this as a feature request, might be a nice addition to the Access plugin.
Thanks for your help -- I worked around this by just utilizing the post status, set it to private so only the post author can see it, and then updated the view query to look for those that are marked private. This seems to prevent the URL from being accessed by another user that is not the author, without getting overly complicated.
