Access on specific pages in wordpress for a specific user

Very interesting question. It’s a bit outside the scope of the typical rolls/capabilities functionality as it’s more fine grained (unless I’m wrong — very possible).

The first step would be to put some sort of way in that you can assign which posts a user can edit.

It makes the most sense to stick that the user’s profile page. So you can hook into edit_user_profile, get all the pages on the site, and stick them in a multi select box. The code comments should explain the step by step a bit. edit_user_profile only shows up when editing other users’ profiles. 

<?php
add_action( 'edit_user_profile', 'wpse30211_user_profile' );
function wpse30211_user_profile( $user )
{
    // only show this on editor pages
    if( ! in_array( 'editor', $user->roles ) ) return;

    // get the pages.
    $pages = get_posts(
        array(
            'post_type'     => 'page',
            'numberposts'   => -1,
            'post_status'   => 'any',
        )
    );

    // Bail if we don't have pages.
    if( ! $pages ) return;

    // Which pages can our user edit?
    $allowed = get_user_meta( $user->ID, 'wpse30211_pages', true );
    if( ! is_array( $allowed ) || empty( $allowed ) ) $allowed = array();

    // nonce-i-fy things
    wp_nonce_field( 'wpse30211_nonce', 'wpse30211_nonce' );

    // section heading...
    echo '<h3>' . __( 'Grant this User permission to edit...' ) . '</h3>';
    echo '<select multiple="multiple" name="wpse30211[]">';
    echo '<option value="0">None</option>';
    foreach( $pages as $p )
    {
        // for use in checked() later...
        $selected = in_array( $p->ID, $allowed ) ? 'on' : 'off';
        echo '<option ' . selected( 'on', $selected, false ) . ' value="' . esc_attr( $p->ID ) . '">' . esc_html( $p->post_title ) . '</option>';
    }
    echo '</select>';
}

Next you need to save the extra data you added to peoples profile. To do that, you hook into edit_user_profile_update. Verify the nonce set in the above function, then check if the wpse30211 field is set and save the stuff with update_user_meta.

<?php
add_action( 'edit_user_profile_update', 'wpse30211_user_save' );
function wpse30211_user_save( $user_id )
{
    // verify our nonce
    if( ! isset( $_POST['wpse30211_nonce'] ) || ! wp_verify_nonce( $_POST['wpse30211_nonce'], 'wpse30211_nonce' ) )
        return;

    // make sure our fields are set
    if( ! isset( $_POST['wpse30211'] ) ) 
        return;

    $save = array();
    foreach( $_POST['wpse30211'] as $p )
    {
        $save[] = $p;
    }
    update_user_meta( $user_id, 'wpse30211_pages', $save );
}

Now the fun part: disallowing access to certain pages. To do that, you can hook into load-post.php, which fires when wp-admin/post.php, the post editing screen, is loaded. Grab the the post id being editted, check to make sure it’s a page. Then, grab the current user with wp_get_current_user and get the pages they are allowed to edit with get_user_meta. If the current post ID isn’t in the array of pages they’re allowed to edit, call wp_die and kill the page.

<?php
add_action( 'load-post.php', 'wpse30211_kill_edit' );
function wpse30211_kill_edit()
{
    $post_id = isset( $_REQUEST['post'] ) ? absint( $_REQUEST['post'] ) : 0;
    if( ! $post_id ) return;

    // bail if this isn't a page
    if( 'page' !== get_post_type( $post_id ) ) return;

    $user = wp_get_current_user();
    $allowed = get_user_meta( $user->ID, 'wpse30211_pages', true );
    if( ! is_array( $allowed ) || empty( $allowed ) ) $allowed = array();

    // if the user can't edit this page, stop the loading...
    if( ! in_array( $post_id, $allowed ) )
    {
        wp_die( 
            __( 'User cannot edit this page' ),
            __( "You can't edit this post" ),
            array( 'response' => 403 )
        );
    }
}

Finally, you can hook into pre_update_post and stop that from updating of the user can’t edit the page.

<?php
add_action( 'pre_post_update', 'wpse30211_stop_update' );
function wpse30211_stop_update( $post_id )
{
    // not a page? bail.
    if( 'page' !== get_post_type( $post_id ) ) return;

    $user = wp_get_current_user();
    $allowed = get_user_meta( $user->ID, 'wpse30211_pages', true );
    if( ! is_array( $allowed ) || empty( $allowed ) ) $allowed = array();

    if( ! in_array( $post_id, $allowed ) ) 
    {
        wp_die( 
            __( 'User cannot edit this page' ),
            __( "You can't edit this post" ),
            array( 'response' => 403 )
        );
    }
}

The above works, but I suspect there may be a way to do this a bit easier with WP’s built in role & capabilities. Here’s the whole thing as a plugin.

Related Posts:

  1. wp_update_user not updating
  2. Is WordPress’ is_user_logged_in() secure?
  3. Temporarily disable user role login and replace with message
  4. how to add custom user capabilities using add_user_meta or something else?
  5. Is there a way to set the user Role based on email domain
  6. pre_get_posts Remove posts based on meta value with ‘post__not_in’
  7. What is the difference between “create_users” and “add_users” capabilities?
  8. How to ‘unpublish’ or ‘hide’ posts when user role changes?
  9. Hide Specific User Page
  10. Let new user role to ‘edit_others_posts’ of other user role, not of its own type
  11. How can I have different groups of editors only allowed to edit certain parent+subpages?
  12. How do I remove the Other Roles field (from User Role Editor plugin) in wp-admin/user-new.php
  13. How to redirect specific post type with user role
  14. wordpress editor role remove all but ‘menus’ in appearance menu
  15. Parent User and Child User – relate users
  16. How to create user specific pages (not user role!)?
  17. Assigning certain authors to specific editors
  18. Restrict Access in Admin Panel
  19. Limit a user to have access to only specified pages?
  20. Plugin creation – how to add user rights?
  21. User restricted only show posts assigned to current user
  22. Restrict custom post content to specific user
  23. Hide front-end from every logged out user and redirect them to the default login page
  24. How to restrict an admin page, if the user is not superadmin?
  25. Need to block user role from accessing bbPress all together
  26. How to create a front facing user sign up, log in and profile pages like FoodGawker.Com [closed]
  27. Infinite redirects at front end if logged in user is not an Admin (Toolset Access)
  28. Is there a way to allow users with “Subscriber” user role to access media library in backend and frontend
  29. How to make WP page accessile only to specific user roles
  30. grant multiple roles access to specific admin menu item
  31. Check what capabilitie(s) an action requires
  32. Is it possible to restrict a specific user to edit a specific custom post.
  33. New folder and file permissions are not correct
  34. How to change user role setting in members plugin so that user can only edit his own post?
  35. How to change a user’s role?
  36. Allow member to have access to custom post type only. Permission to only edit their own posts
  37. Reset default roles and capabilities
  38. Is it possible to add new user Roles?
  39. Troubleshooting a “You do not have sufficient permissions to access this page” error
  40. Restrict admin access to certain pages for certain users
  41. Make A WordPress Page Accessible To Admins Only, Redirect Other User Roles
  42. Temporarily give ‘manage_options’ capability
  43. Only allow administrators and editors to access wp-admin
  44. Hide specific admin users’ posts
  45. How to allow registered users to change their user role through frontend?
  46. if role is logged in then do something
  47. how to change user roles for users who doesn’t have any. (about 8000 users)
  48. Shold I manually add ‘cap’ to admin role ?
  49. Getting a user role from the user login name
  50. Why is wp-login redirecting to the home page when I use this function?
  51. Allow contributor to view own scheduled post
  52. Editor and contributor roles not correct after adding function
  53. How are roles stored in the database?
  54. How to delete user roles?
  55. How to display user role
  56. Set default page for user account in admin
  57. Users Role and Access
  58. Restricting access to content
  59. Only allow administrators and editors to access wp-admin
  60. Why does this check to see if user is authorized to edit a post fail for all but super admins?
  61. add_menu_page() for more than one user role
  62. Hide everything on site for visitors except specific page IDs
  63. Plugin to restrict access to pages in wp-admin
  64. How to allow a user to make their post (ad) a draft, and then publish again without needing approval?
  65. Customized role that allows users to “Submit for Review” instead of “Publish”
  66. Adding an additional role to an Administrator
  67. Conditional tag based on the role of author in author.php
  68. Allow editors to post iframes [duplicate]
  69. Restrict Author role to only 3 wp-admin pages
  70. if user has a certain role then display image
  71. My subscriber has the “edit comment” capability but can’t edit comment
  72. Why does get_posts only show results for Admins or logged-out users?
  73. Add custom role across network in multisite
  74. how to remove some permissions from a shop “manager role” in woocommmerce?
  75. reset the users roles – is there a way to do this?
  76. Custom wordpress admin page/url “You do not have sufficient permissions to access this page.”
  77. user_can() not working for comment authors
  78. WordPress add_rewrite_rule redirection match GET variable not passing through to custom template
  79. Redirect admin 403 “Cheatin uh?” admin pages
  80. Migrating Roles from one environment to another
  81. Letting users create a post that is a custom post type from a page
  82. Is WordPress secure enough for a multi-user article directory?
  83. Learndash change user role after completing the course
  84. How to disable activation email to specific user role?
  85. logout users with specific role after close browser tab
  86. Admin user name not showing up in author dropdown
  87. Separate user bases or hide users of another role or connected to another minisite
  88. How to restrict subscriber editing other posts but read specific posts in backend
  89. Publishing post strips custom html element when user is not admin
  90. Best practices to handle multilpe roles and capabilities?
  91. Allow multiple roles to specific user
  92. How do I restrict a second admin certain access?
  93. Give a user role capability to create orders for clients
  94. user has permission to read a custom post but it is not being shown in wordpress plugin
  95. Restrict custom fields based on user roles
  96. Select dropdown with 2 choices from foreach
  97. translate_user_role doesn’t work
  98. How to assign role to a custom registration form?
  99. How to add user roles? [closed]
  100. Check if specific role exists