Permission Groups Not Overriding Role-Based Capabilities for Custom Post Types

  • Resolved rico34

    (@rico34)


    1 year ago

    Setup:

    • Plugins Used:
      • Pods – Custom Content Types and Fields (v3.2.8.2)
      • PublishPress Capabilities (v2.19.1)
      • PublishPress Permissions (v4.1.3)
    • WordPress Version: 6.7.2

    I have a setup where:

    • I created 20+ custom post types using the Pods plugin.
    • I created 20 permission groups using PublishPress Permissions.
    • I created two user roles using PublishPress Capabilities.

    Goal:

    I want to control editing access to specific posts within custom post types via permission groups, without needing to grant broad edit permissions at the user role level.

    Current Issue:

    • I assign edit rights to certain posts (not entire post types) via permission groups.
    • Users in the relevant permission groups should be able to edit only those assigned posts.
    • However, the custom post type’s admin menu does not appear for these users unless I also enable edit permissions for the custom post type in the user role (via PublishPress Capabilities).
    • The problem with enabling edit permissions at the user role level is that users then see all custom post types in the admin menu — even those where they have no access to posts (resulting in empty post lists).

    Expected Behavior vs. Actual Behavior:

    • Expected: The permission group should determine access to posts and control whether the corresponding custom post type menu appears.
    • Actual: It seems that the user role must have edit rights for a post type before permission groups can apply post-specific permissions.

    Questions:

    1. Is this the expected behavior of PublishPress Permissions?
    2. Shouldn’t permission groups override the user role’s capabilities when determining which posts a user can edit?
    3. Is there a recommended way to hide empty custom post type menus when a user has no accessible posts?

    A similar issue was discussed in my previous thread, “‘Post-specific Permissions take priority’ not working since update”. At the time, I avoided updating the plugin, but now I have updated, and the problem persists. That thread is already closed for new messages, so I am opening this new one.

    I could create a user role for every permission group and enable the edit rights in the user role. But this would defeat the purpose of the permission groups and would make the configuration of user roles unnecessarily complicated and redundant.

    Any guidance would be greatly appreciated!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Thread Starter rico34

    (@rico34)

    1 year ago

    To hide the empty custom post type menus I am using this now:

    add_action('admin_menu', function () {
        if (!is_admin()) {
            return;
        }

        $custom_post_types = get_post_types(['_builtin' => false], 'names');

        foreach ($custom_post_types as $post_type) {
            if (!user_has_visible_posts($post_type)) {
                remove_menu_page("edit.php?post_type={$post_type}");
            }
        }
    }, 99);


    function user_has_visible_posts($post_type) {
        $user_id = get_current_user_id();
        if (!$user_id) return false;

        $args = [
            'post_type'      => $post_type,
            'post_status'    => 'any',
            'posts_per_page' => 1,  // Only check for one post
            'fields'         => 'ids',
            'perm'           => 'edit', // Apply user-specific edit permission check
        ];

        $query = new WP_Query($args);
        return !empty($query->posts); // Return true if at least one post is visible
    }

    This solution works great! However, I’d still like to know if this should even be necessary—am I using permission groups incorrectly, or is this the expected behavior?

    Plugin Support Riza Maulana Ardiyanto

    (@rizaardiyanto)

    1 year ago

    Hi @rico34

    Thanks for your detailed report.

    I will answer your questions below:

    1. Yes, this is expected behavior. Core WordPress force a user to always have “edit” capability in order to see the menu
    2. To workaround this, you could assign edit from PublishPress Capabilities, while in the Permissions, you could set the operation to “Limit to” as opposed to “Enabled”.
    3. Yup, you could hide it easily our Admin Menus from PublishPress Capabilities Pro: https://publishpress.com/knowledge-base/admin-menus-screen/

    Hope that answer your queries.

    Thanks,

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Permission Groups Not Overriding Role-Based Capabilities for Custom Post Types’ is closed to new replies.