Skip Navigation

[Closed] Restrict users' access to their own profile page

This support ticket is created 7 years, 9 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- 7:00 – 14:00 7:00 – 14:00 7:00 – 14:00 7:00 – 14:00 7:00 – 14:00 -
- 15:00 – 16:00 15:00 – 16:00 15:00 – 16:00 15:00 – 16:00 15:00 – 16:00 -

Supporter timezone: Europe/London (GMT+00:00)

Author
Posts
#402069

Access continues to be the most difficult to understand plugin for me...

I want to make sure that users with Client custom role can only have access to 1 page: their own front-end profile page.

Why is this so difficult to do?
Why is there no simple solution for this? All it needs is a "Which user role has access to this page?" button (perhaps even INSTEAD of the current Access group control whatever...

Tell me what do I have to do to restrict these users to their own page. I don't want them to have access to WordPress admin either. Only their own profile page, and the publicly (without login) visible pages on my website.

#402269

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

1. You want users to only be able to view their own profile page, no-one else's.

2. And you want to keep users out of the back end.

For 1, you don't need Access. You can't limit access by role in the way you suggest because anyone with that role would be able to see the page, rather than just a single user.

What you do is make a page, let's say "My profile". Use the Fields and Views button to add the user profile info to this page. When inserting the shortcode for a user field it will ask which user (see the attached screenshot) and you want to select the current user (the currently logged-in user).

Now when anyone views this page they will see their own details.

You might want to wrap all of the user profile content inside a wpv-conditional shortcode to only show this content if the person viewing the page is logged in, and to show an alternate message if not. See https://toolset.com/documentation/views-shortcodes/#wpv-conditional

For 2, you can't lock users out of the backend with Access as such without adding some custom code. See the WordPress codex here for an example that will do that: http://codex.wordpress.org/Plugin_API/Action_Reference/admin_init

You are going to have to manage having the users log in.

If you have a CRED form where users register, then you can specify that when they submit the form you should show a message. You can then use the wpv-login-form shortcode to display a login form and redirect them to a page of your choice when they do (for example, 'My profile').

See here for details of the log-in form shortcode: https://toolset.com/documentation/views-shortcodes/#wpv-login-form

#402432

Your answer for the first part doesn't work for me in terms of disabling the entire page from unauthorized users (for example in case of my own front-end admin page).

If my layout consists of a lot of different small cells, how can I disable the entire layout if someone unauthorized wants to see the page? If it would only be one big Visual Editor Cell then I can see how to do that, but not with multiple smaller cells, when some are visual editor, others are views, some are placed into a grid, others aren't.
I tried to add the conditionals to the page itself but that doesn't work.
I also tried to start the condition on the first row and finish it at the last, essentially wrapping all the cells into a conditional, but it doesn't work either.

For the second issue:
Restricting access to WP admin to administrators works great (although first I left out the " " from around the URL to which the users are redirected and that broke the site, but now it's all good. 🙂

#402640

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Well, if you have a "My profile" page that uses wpv shortcodes to display user fields for the currently logged in user, then any logged-in user looking at that page will see their own details, there isn't any way for them to see someone else's (unless they log in to the site with someone else's credentials).

So, it seems to me the question is simply what happens if a site visitor who is not logged-in tries to visit that page? (As an aside, you will only want to display the link to that page to logged-in users, but someone could type in the url manually.)

Well, here, Access can help you, because you can deny read access to the page for guest users.

This page describes what's involved:
https://toolset.com/documentation/user-guides/limiting-read-access-specific-content/

#402655

You misunderstand.
I'm talking about things like someone, out of sheer fun, types in mydomain.com/admin and suddenly ends up on my admin page, seeing all the admin information. How do I disable this possibility?

#402657

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

If you mean a custom admin page you have created then that's what denying guests read ability for that page using Access will do. You can send them to your 404 page, for example, as described in the docs I linked to in the last response.

I don't think you mean the mysite.com/wp-admin/ page, that's what we covered in 2. above.

#402660
Pages by Access.jpg

Yes I mean a custom-made admin page. But I wanted to restrict access to wp-admin too, so that was good.

This is why I wrote that Access is difficult to use: I don't see an option for disabling anyone's access to a particular page except admins. I only see the option for disabling users' access to ALL pages at once. So how can I do this?

#402745

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

In your WP admin, go to Toolset > Access Control.

First you must bring pages under Access control via the first tab. You can set your general access preferences for all pages here, and then use a custom post group to specify different rules for an individual page (or collection of pages and posts that you define).

With Access controlling pages, go to the Posts Groups tab.

Create a new Post Group and then add your bespoke admin page to the group.

Now when you go to edit your bespoke admin page you will see that access to this page is being controlled by the permissions defined in your post group, which is where you can deny read access to guests, for example.

#403233
Admin access.jpg

I set an Access group to only allow access to those pages to Administrators.
However, the redirection part doesn't work.
All the non-logged-in users and the Client level users are supposed to see Error 404 when they navigate to a page with no permission (see image). Instead, non-logged in users are redirected to the login page, and Clients are redirected to their own account page. Why is that?

#403446

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

You have created the Access Post Group "Access to Admins only".

Where are you using it?

When you go to edit the page you want to make off-limits, do you see in the top right that Access is using this post group?

The topic ‘[Closed] Restrict users' access to their own profile page’ is closed to new replies.