WordPress 3.0 introduces an easy way to add Custom Post Types to your site. It’s super easy to do and has been explained in plenty of tutorials already.
However, not many have explained how to restrict this Custom Post Type to users with certain permissions. In this tutorial, I will show you how to use the excellent Members plugin to restrict your newly created Custom Post Type to only be available for Administrators.
By default, when registering a post type, it inherits the same permissions as Posts. This is fine if you want all users that can publish a Post to be able to publish your Custom Post Type. In my case, though, I only wanted Admins to publish.
Register Post Type
The first step is to add the following code to your functions.php file. If you want to know more about register_post_type, check out the Codex or various tutorials on the subject.
register_post_type('podcasts',
array(
'label' => __('Podcasts'),
'singular_label' => __('Podcast'),
'public' => true,
'supports' => array('title', 'editor', 'custom-fields'),
'capability_type' => 'podcast'
)
);
The last argument ‘capability_type’ is what we are most interested in for this tutorial. I am using ‘podcast’ to be consistent with the post type, but it can be anything you want. If you were to refresh your site, you will notice that Podcasts doesn’t display. This is because we have not created or assigned the correct capabilities to the Admin role.
Create and Assign Capabilities
Before continuing, make sure you have enabled the “Edit Roles” Members Component and assigned the “edit_roles” capability to the Administrator role.
On the screen where you edit the Administrator role, scroll to the bottom to the New Capabilities section and add the following capabilities:
- edit_podcasts
- edit_podcast
- edit_others_podcasts
- publish_podcasts
- read_podcast
- read_private_podcasts
- delete_podcast
After you add those capabilities and Update Role, you should now see the Podcasts section is displayed underneath Comments on the left column. Podcasts will only be displayed for users with Administrator access.
Why not create a new Role?
I’m sure there are some of you that are saying “Why not just create a new role and assign the capabilities to that?” Well, you can do that if you want! But, I didn’t want to go to the trouble of reassigning Admin users to my new role just so they could manage the Podcasts. For my purposes, it was a lot easier and faster to edit an existing role.
Role Inheritance coming with WordPress 3.1
Andrew Nacin, a lead WordPress developer, commented on Justin Tadlock’s Meta capabilities for custom post types (a similar tutorial to this one) that register_post_type in WordPress 3.1 will probably have the ability to map to a particular role’s capabilities and you won’t have to follow the steps in this tutorial. But, there’s no hard time line on 3.1 and, until then, you will need to follow the steps outlined in this tutorial.
Hopefully, this makes working with WordPress 3.0 Custom Post Types a little bit easier. Questions or comments welcome.
I use WordPress to set up membership websites using the Magic Members plugin. I run a variety of different content segments in which this type of coding could be beneficial. While I am not using the member plugin that you are, do you think that it will still work essentially the same way?
I’m not familiar with the plugin you mentioned. As long as it has the option to create custom capabilities for user roles, it should work.
Thank you for this post, it got me started but there’s a couple misconceptions that tripped me up.
Setting meta capabilities with the plugin, like edit_podcast (note the singular) made my custom post type act completely different than default page/post types. I was unable to limit user access to only their own posts.
I was able to figure out what I needed to done by browsing the wordpress source:
http://core.trac.wordpress.org/browser/trunk/wp-includes/capabilities.php?rev=15919#L867
I tried to explain what I learned here:
http://blurback.com/post/1479456356/permissions-with-wordpress-custom-post-types
Hopefully it will save others some time.
Thanks again.
Doug,
If you want to limit user access to only their posts, make sure the “edit_others_podcasts” capability is NOT applied to that role.
http://codex.wordpress.org/Roles_and_Capabilities#edit_others_posts
Tried that, didn’t work. If you set “edit_podcasts” (which is all you should need) the user will get a permissions error when creating new podcasts. If you set both “edit_podcasts” and “edit_podcast” (singular), the user will be able to edit any podcast because “edit_others_podcasts” will be completely ignored since “edit_podcast” is being treated as a primitive (vs correctly defined as by a meta cap filter)
It’s inheriting the default cap of that role since it’s not defined.
This is the correct behavior.
From what I can tell, you are trying to make an Editor have different permissions across post types in which case your code does what you need it to do.
Thanks for this post! I was able to implement, but it caused the custom post type to disappear completely from my dashboard. Any ideas on why this happened?
Make sure you didn’t misspell any of the newly added capabilities and that you’ve applied them to your user role. Also, make sure that the public parameter is set to true.
this worked for me: http://blurback.com/post/1479456356/permissions-with-wordpress-custom-post-types
I’m trying to restrict all ‘internal-posts’ so they can only be read by ‘members.’ This should be doable, right? My goal is to have a link on the menu to the internal blog (domain.com/internal-posts/) and to get to it, the user must be authenticated as a ‘member’ to see them. I have created a capability called read_internal_post and assigned it to the member capability, but a non-authenticated user can still get to the internal posts.
I should also mention that my custom post type was built with ‘Ultimate Post Type Manager.’
I’m comfortable with troubleshooting and PHP, so if you could just point me in the right direction, I’d appreciate it.
You should be able to use the
current_user_has_roleandis_user_logged_infunctions to make sure the user is logged in and assigned the custom role you’ve created to access the custom post type.WONDERFUL.
You saved me a ton of effort.