Skip Navigation

[Resolved] User Registration with Woocommerce and Preventing Access to CRED Forms

This support ticket is created 7 years, 9 months ago. There's a good chance that you are reading advice that it now obsolete.

This is the technical support forum for Toolset - a suite of plugins for developing WordPress sites without writing PHP.

Everyone can read this forum, but only Toolset clients can post in it. Toolset support works 6 days per week, 19 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- 7:00 – 14:00 7:00 – 14:00 7:00 – 14:00 7:00 – 14:00 7:00 – 14:00 -
- 15:00 – 16:00 15:00 – 16:00 15:00 – 16:00 15:00 – 16:00 15:00 – 16:00 -

Supporter timezone: Europe/London (GMT+00:00)

Author
Posts
#406731
customer post type access.PNG
customer cred frontend access.PNG
customer role 1.PNG

How can I get a custom role that I created to work with Woocommerce login/registration?

Right now I have User Registration setup with Woocommerce. - > hidden link. I am also using the "Social Login" plugin, which allows the user to register via Facebook or Twitter. By default, when a user registers, they are assigned the "customer" role. I tried creating my own role, then assigning it as the default user role under General > Settings, Problem here is that Woocommerce automatically assigns registered users as "customers". (I actually deleted the customer role to see if that would work, and when a user registered, it didn't assign them any role at all after that. So I re-added the customer role)

I set the "customer" role to level 0, because otherwise, it automatically gives the user access to the wordpress dashboard, which is what I don't want. I have tried playing around with all of the settings in Access, and if I don't set it to 0, then I can't prevent that from happening. It seems the "customer" role has access to things that I have no control over using the Access plugin.

Another problem here is that the "customer" can edit and add onto other user's content using the CRED links (This is obviously a terrible thing). I have tried disabling this via access, but nothing works.

So I guess what I am asking is for one, is this even the right approach to handle user registration? I still want Woocommerce to function correctly. I've seen in the support forum that people created their own User CRED Forms to handle login/registration, and then somehow integrated all of that with WooCommerce (Sounds difficult lol).

Also, how do you Hide Cred Links from Guests, or "edit CRED" links from other logged in users? The link shows under other user's content, and I can't seem to prevent that from happening. Guest can view the links, click on them, but then it takes you to an empty page.

EDIT - I added 3 images to show you how the "customer" is set up within Access. I only gave it permission to view, create and edit it's "own" content. So how are other users still able to edit other's content on the front end?

#406775

Chasel,
I've got a situation like this too. It's different because I'm moving away from a few tools and deciding which to move too is where I'm at.

I'm going to follow along with this thread, offer my experience and take from yours.

With Best Regards,

-Carmine

#406924

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Chase, some of the things you describe are not what I expect to see so I'm going to set up a site where I can do some testing to confirm what should and shouldn't happen in such circumstances and I'll get back to you later today with the results.

#407038

Sounds good! Thanks Nigel.

#407151

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Screen Shot 2016-06-14 at 17.46.13.png
Screen Shot 2016-06-14 at 18.02.34.png

I did some extensive testing about the ability or not to edit other users' content with CRED forms because what you were describing sounded wrong and I want to eliminate the possibility that it isn't working because of bugs, which I believe I have.

As a general point, to integrate with WooCommerce, I would let it handle registration and set up the customer role rather than try to start with a custom role made with Access that you then have to map on to what WooCommerce expects and requires. In short, use the customer role and tweak it to your needs with Access instead of making a custom role yourself.

First, note, that the new versions of the Toolset suite of plugins were released this morning and my testing used these latest versions with the current versions of WordPress and WooCommerce.

So, when you add CRED edit form links they should only appear on the front end when the current user viewing the site has the permissions required to edit the content, and that is what I found.

Briefly, here's what I did to verify that.

- I set up a new install with all relevant plugins.
- In addition to my admin user I added another user—nigelWP—directly in the WordPress backend and set their role to author
- On the front end I went through WooCommerce to register another user—nigelWC—that was automatically assigned the role customer
- I created a CPT called Players
- I created a CRED post form to Add players & added it to its own page
- I created a CRED edit post form to Edit players
- I created a Content Template for displaying a single player which outputs the player post body and adds a link to edit the post with the Edit players form
- I set up 4 different browsers. On the first I was logged in as admin, the second as nigelWP, the third as nigelWC, and the fourth I was not logged in (i.e. guest)
- In my admin browser I created a test player via the Add player CRED form, and in my nigelWP browser I created another test player. Neither nigelWC nor guest are able to add players.
- I then viewed the two test players in each browser
- I expected and confirmed that only admin could see the link to edit the player created by admin
- I expected and confirmed that only nigelWP and admin could see the link to edit the player created by nigelWP
- nigelWC and guest could view the players, but did not see any links to edit them
- Thus far I hadn't yet brought the Players CPT under Access control, which I then did. I left the default abilities unchanged, as shown in the screenshot.
- I then tested the visibility of the CRED edit links in each browser as before and got the same results.
- One last check. I went to Toolset > Access Control > Custom roles to modify the customer role. By default its level is undefined. I set it to zero, which, as you have confirmed yourself, prevents the user from accessing the WordPress dashboard. I then double-checked—and confirmed—that it was still unable to see the CRED edit links.

So, that's all as expected. I'm pleased to report no buggy behaviour observed, but that doesn't get us closer to why you seem to be experiencing something different.

The most obvious question is whether you were diligent when testing your different users. Make sure you use different browsers and not different tabs of the same browser when logging in as different users for testing.

One more thing. Assuming we get this working, if your guest users visit the "Add a player" page they see a blank screen because they don't have the access rights for the CRED form.

Do you know about Post Groups in Access? Normally, you put post types (e.g. 'posts', 'pages', your custom posts etc.) under Access control and set rules for all content of that type. But you can also specify a collection of individual posts or pages that you want to set rules for.

In the screenshot attached I created a Post Group called "No go area" and added my "Add a player" page to it so that I can deny read access to guests for that specific page. The little edit button next to the Guest checkbox brings up a dialog where I can specify a content template to display instead where I will have my friendly "You need an account..." message.

* There seems to be a technical hitch adding screenshots currently, I'll edit the post and add them later....

#407186

Thanks for the Reply Nigel. I have done everything you have mentioned above. I have been using different browsers and logging into them with new users that I create that are given the "customer" role. I found the settings that is allowing users to edit others' content. It is:

Create Custom Post with CRED Form "Players" under "Post Forms Front-End Access Group".

If I uncheck that, then I can't edit/create any players at all. The link is still shown to all "customers" though. (I was able to hide the link from guests by using the following shortcode:

[toolset_access role="Administrator,Customer" operator="allow"]<h3>[cred_child_link_form form='1794' parent_id='-1' text="Click Here to Add Players to Your Program's Rosters" target='_self']</h3>[/toolset_access]

If I check it, then I can go in as a "customer" and edit anyone's links. So I guess now it comes down to: How can the toolset restrict access to edit other's posts and also hide that link to their posts, even though all user's have the same role as "customer"?

One thing to note here:

The "Players" type is a child of the "Programs" type. So I am using nested views here.

I noticed that the form to "Add players to the roster" (which is inside the content template I am using for Programs) is using this shortcode:

[cred_child_link_form form='1794' parent_id='-1' text="Click Here to Add Players to Your Program's Rosters" target='_self']

That shortcode above opens up a new page that I created to display the form to add a player to the roster. The name of that page is "Create a Team" (I know I need to change that name lol). So on that page, I inserted the shortcode below so that the "create a team" page will display the form.

[cred_form form='1767' form_name='Players']

So when you click on the link to "Add a player to the roster" it opens up that form. This is the link that shows for everyone: hidden link.

Wordpress knows that the form will only display to "customer" and "administrator". (remember I added that shortcode). So again, the question here is, how can we restrict access to that form to the user who created that piece of content only?

I think it has something to do with this Parent/child relationship and the [cred_child_link_form] shortcode. I say this because once you create a player, you are taken to the player page. (I created a content template for "players"). Inside that player's content template, there is a CRED link to EDIT the player. It looks like this:

[cred_link_form form='1822' form_name='Player Edit Form' text='Edit %TITLE%' target='_self']

That link opens up the edit player form, and allows you to edit the player. THE DIFFERENCE HERE is that the only user that can see that link is the one who created that player. This is what I want for the issue above! This is why I was saying that it has something to do with the parent/child relationship.

I hope this makes sense lol. I can give you admin access to the site if you think that would be better. I am so close to finishing this up, but something isn't right here.

Thanks again for all of your help.

- Chase

#407590

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Screen Shot 2016-06-15 at 18.05.10.png
Screen Shot 2016-06-15 at 18.01.37.png

OK Chase, I had another run at this and have a working demo of what you require.

It's actually not particularly complicated, but it is easy to get lost when concentrating on some details, and that's just what I did yesterday. While focusing on the permissions that the WooCommerce customer role should have I neglected the issue of people only being able to edit their own content, which meant me declaring things were working as expected, which they were, but I hadn't gone as far as that next step.

I'll describe my setup below, which I have kept as simple as possible but covers the main functionality you require.

So, I have set up my site with parent > child CPTs of Programs & Players.

Users can sign up with WooCommerce which means they will be allocated the role of Customer.

In Access I used the custom roles tab to assign a level of 0 to the customer role, which keeps them out of the backend. I have brought both Programs and Players under access control and set permissions for Customers as per the attached screenshot for players, giving them permission to read, publish, edit and delete own, but *not* edit any.

I have created CRED forms to add and edit programs and to add and edit players.

In the CRED Forms tab of Access I have set the permissions for post forms as shown in the attached screenshot, enabling users with the customer role to add programs and players and to edit their own programs and players but only their own.

Here is what the workflow looks like for a customer creating and editing content from the front end.

They visit the page where I have added the Add Program CRED form, enter the program details and submit, which takes them to the page they just published. I'm using a content template to display single programs. It shows the post body, a link to edit the program, a list of all the players belonging to the program, and a link to add players to this program.

My list of players is coming from a view I created to show players belonging to the parent program—I don't think you have any problems doing that.

My edit program link will only be visible to the creator of the program and admins because of the settings we added in Access.

My link to add players to this program we only want to be seen by the author of this program, we don't want anyone else adding players, so we wrap the link to the child post form in a conditional shortcode. My entire rough-and-ready content template looks like this:

[wpv-post-body view_template='None']
<p>Program created by: [wpv-post-author]</p>
[cred_link_form form='28' form_name='Edit Program' text='Edit %TITLE%' target='_self']

<h3>Players:</h3>
[wpv-view name="program-players"]

[wpv-conditional if="( '[wpv-user field="ID" ]' eq '[wpv-post-author format="meta" meta="ID"]' )"]
[cred_child_link_form form='13' parent_id='-1' text='Add new player' target='_self']
[/wpv-conditional]

So, being the author of this program I can go ahead and click the link to add a player, which I do.

I made another content template to show my single player posts, which includes a link to edit the player. Because of the permissions I set in Access, I don't need anything special here so that only the player author (which is the same as the parent program author) can edit the player. My template looks like this:

[wpv-post-body view_template='None']
<p>Player added by: [wpv-post-author]</p>

[cred_link_form form='16' form_name='Edit player' text='Edit %TITLE%' target='_self']

<h3>Plays for: [wpv-post-link id="$program"]</h3>

That's pretty much it.

If you want to try it out I've uploaded a backup of the site which you can download and double check.

You will need a fresh test site where you should install and activate the plugin "All in One WP Migration". Download the backup from here: hidden link

There are 3 users to testing:
iamadmin -- full admin
iamWP -- author created directly in WP backend
iamWC -- customer created via WooCommerce registration

Each has the password toolset.

#407626

Nigel,

That Shortcode you posted to surround the Cred Child Link worked perfectly. Thanks so much for that. You are the man!

I created a user in a different browser (firefox) to test and it worked. I switched back to google chrome (where I am logged in as admin) and went to the page that was created by the new user, and I noticed that I couldn't see the link on the front end, even as admin. (This isn't that big of a deal, because I can still make changes from the backend).

My question is, in the case that I wanted to give another user (that has the role of customer) access to that link on the front end, can I add that user to the shortcode? Either by id or username or some other way?

The reason I ask is because I am going to be doing a ton of data entry from my old website. I am going to be creating hundreds of programs myself, and also adding in players. I want to be able to give access to the users that "own" the programs that are on the site. If I create them myself, they won't be able to "own" or "claim" access to those unless I have a way of adding them. Does that make sense?

#407681

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

Screen Shot 2016-06-15 at 22.24.29.png

Progress!

To allocate the programs to the users you just need to change the post author from yourself to them (or just set it to them in the first place when you create the post).

It's not obvious because the select box to change the author on custom posts is normally hidden. Go to Toolset > Post Types and edit your post type. Find "Sections to display when editing [post type]" where you can select that the UI for author should be shown.

If you bulk select several of the posts and edit them together you'll get the chance to change them all in one go (see attached).

#407693
Only the admin author shows.PNG
only the current user and admin show here as well.PNG

Thanks Nigel. I checked author under the post type and saved it. I then went to all programs, and tried the bulk edit. I currently have almost 5,000 users that I imported in from the old site (drupal). I made all 5,000 of them "customers".

*One thing to note is that none of these users have passwords yet. They need to reset them since you can't bring passwords over from drupal. Not sure if this has anything to do with it*

This could be because WordPress isn't going to show 5,000 users in one select box. Is there another way for the admin to manually change the author? I attached 2 images showing what I am talking about.

#407915

Nigel
Supporter

Languages: English (English ) Spanish (Español )

Timezone: Europe/London (GMT+00:00)

How are you importing your users and your content?

I don't have any experience bulk importing users, to be honest, but I'm guessing they would only show up in the post author select if they have rights to publish posts. Can you import a test user the same way you did for your site users and test before and after whether setting up the password makes them actively able to publish posts.

What on Earth you are going to do with a select box of 5000 users I do not know ¯\_(ツ)_/¯

#407999

Thanks for your help Nigel. You have been amazing.

To answer the last question, I went into phpmyadmin, did a query on the name of the custom post I want to change the author on, then changed the "post_author" ID to the ID of the user that I want. Tested it and it worked perfectly!

This ticket is now closed. If you're a WPML client and need related help, please open a new support ticket.