How to allow “Add New” capability of CPT when links to its UI are placed as a submenu?

The problem is that when the special subscriber tries to Add New a sub-cpt post, it is denied permission. However, when the CPT menu is a top-admin-menu, then everything works out fine. The issue is related to the placement of the CPT’s UI menu in the back-end: if it’s top-level (show_in_menu=TRUE), all is well; if its a submenu (show_in_menu='my-menu-item'), the user can’t create the post type unless it has the edit_posts permission (even if it has all the edit_PostType permissions in the world). I’ve been chasing this stupid thing since the 22nd. Thanks to the pandemic, I haven’t had to do much of anything else. After 12-15 hours each of the 8 days, I finally got this little bugger picked.

This issue had something to do with post-new.php, as all works out fine when the CPT is edited under the post.php script (which is nearly identical). The very first thing that post-new.php does is call on admin.php. On line 153, wp-admin/menu.php is called in to bat which includes wp-admin/includes/menu.php as its last execution. On that includes/menu.php file’s line 341, the user_can_access_admin_page() returns FALSE, triggering the do_action('admin_page_access_denied') hook to be fired and the wp_die(__('Sorry, you are not allowed to access this page.'), 403) command to kill the whole process.

The user_can_access_admin_page() method is defined on line 2042 of the wp-admin/includes/plugin.php file. Line 2064 passed its check in that get_admin_page_parent() was empty. This is followed by line 2078 failing its check in that the variable of $_wp_submenu_nopriv['edit.php']['post-new.php'] is set. The combined effect of these checks the FALSE boolean being returned and WordPress dies.

The closest related script known to me is that of post.php, as the admin.php process is immediately called and runs in an identical manner, including the calling of user_can_access_admin_page(). Debugging demonstrates that the user_can_access_admin_page() is passed in the post.php script because, unlike post-new.php, none of the $_wp_submenu_nopriv[____][$pagenow] flags were set. So, the question is why this index is being set for post-new.php and not set for post.php.

The global $_wp_submenu_nopriv is first set on line 71 of wp-admin/includes/menu.php, in which that variable is initialized as an empty array. If the current_user_can() test is not passed on line 79, the flag is set on line 81. At that point, the global $submenu['edit.php'] is initialized to the point of our concern, and contains the array at *index=*10 (“Add New”, “edit_posts”, “post-new.php”). A review of admin menu positioning) reveals this entry is the Add New link made by the system for standard WP posts. The check that occurs tests whether or not the current user has the permission to edit_posts. As the special Subscriber user cannot edit “posts,” the check fails and the system breaks. When I learned this, the race was on to unset the $submenu['edit.php']['post-new.php'] entry before line 81 of wp-admin/includes/menu.php was executed. If one worked backwards from that line into wp-admin/menu.php, it would be found that the flag at issue is set on line 170 with the execution of $submenu[$ptype_file][10] = array($ptype_obj->labels->add_new, $ptype_obj->cap->create_posts, $post_new_file). So, the hooks fired between these two points in the code will allow us to interject and unset the flag that has caused me so much strife.

The first function called with an available hook after this setting is current_user_can('switch_themes') on line 185. A check in the subsequently called user_has_cap for this squirmy flag will occur more times than one can count, so its not really the best hook to use. Following this, the only direct hooks available are those of _network_admin_menu, _user_admin_menu, or _admin_menu found in /wp-admin/includes/menu.php straight away at the very top of the file (only one of them will fire depending on if the request is for the network administration interface, user administration interface, or neither). Since calling a filter from an unrelated function is a heck of a round-about way of doing things, I chose to make use of these hooks, like so:

add_action('_network_admin_menu', 'pick_out_the_little_bugger');
add_action('_user_admin_menu', 'pick_out_the_little_bugger');
add_action('_admin_menu', 'pick_out_the_little_bugger');
function pick_out_the_little_bugger() {
    // If the current user can not edit posts, unset the post menu
    if(!current_user_can('edit_posts')) {
        global $submenu;
        $problem_child = remove_menu_page('edit.php');  // Kill its parent and get its lineage.
        unset($submenu[$problem_child[2]]);         // "unset" is just too nice for this wormy thing.
    }
}

Jeezers this was a shot in the dark and wayyyy to much work for less than a dozen lines of code! Since I found a bunch of people with this same problem, I opened a ticket to modify the WordPress Core.

Related Posts:

  1. How do I code access to the built-in UI of a CPT when it’s placed as submenu of another CPT that is protected by role?
  2. Custom post types as sub menu pages and role capabilities issue
  3. WordPress: Custom User Role cannot access Custom Post Type | “Sorry, you are not allowed to access this page”
  4. Possible to hide Custom Post Type UI/Menu from specific User Roles?
  5. Custom post type role permissions won’t let me read
  6. Allowing custom role access to custom post type in back end
  7. How to assign specific users the capability to edit specific pages / posts / custom post types
  8. Allow user to Edit Posts but not Add New?
  9. Defining capabilities for custom post type
  10. Confusion with adding meta capabilities to a role after registering a Custom Post Type with corresponding ‘capability_type’ parameter
  11. Can I make user role that can only access a certian content type?
  12. Create user role restricted to specific CPT
  13. How to set individual capabilities on a taxonomy? Or how to re-register an existing taxonomy?
  14. Add Capabilities to Custom Post Type after it has been created [duplicate]
  15. How to not allow custom roles to edit published custom post types?
  16. How to restrict specific post types from being read or added by specific user roles (eg. author)?
  17. Prevent author role from editing all posts in custom post type?
  18. Custom Role can’t trash Custom Post Type
  19. Limit access to page depending on user level
  20. Role Capabilities: Add New Ones?
  21. Custom post type capabilities require “create_posts” to access the edit posts list page
  22. Add custom capabilities to existing custom post type
  23. allow edit of custom post type but not regular posts?
  24. Allow Administrator role access to custom capabilities [duplicate]
  25. Why is my Custom Post Type not showing up after adding capabilities?
  26. Cannot attach media when capabilities added to custom post type
  27. How to restrict CPT post’s fronted view only for specific user roles?
  28. current_user_can() return FALSE but debugging says TRUE
  29. Role capability delete multiple post type posts doesn’t work
  30. map_meta_cap woes
  31. Roles for Custom Post Types
  32. can’t see custom post content filtered under “mine” filter in admin panel
  33. Define new user capability for custom post types?
  34. How to set individual capability of post type in individual category
  35. Restrict Access to Posts based on Custom User and Post Meta Data
  36. Giving permission to anyone (non-users as well) with a password to edit a post, possible?
  37. WooCommerce Customer Role Delete Custom Post Type
  38. Able to edit custom post, but unable to create new custom post when within submenu. What capability is missing?
  39. Disable user from updating certain posts
  40. “Submit for review” for updates on existing posts
  41. Access to CPT but not to ‘post’ post type
  42. Allow add new post access to custom post but not wp post for some role
  43. Allow user to only access custom post type
  44. WordPress custom post type capabilities issue
  45. Conflict between Capabilities and Menu Visibility with Custom Post Types
  46. Role capabilities issue
  47. Select other roles as custom post authors
  48. Roles and Capabilities in Custom Post Types
  49. How to fix the Post Preview Button (CPT & map_meta_cap)
  50. Restrict Custom Post Type per role in Dashboard
  51. Restrict access to custom post type based on its taxonomy terms
  52. Why “Mine” is the default view when adding ‘capability_type’ in register_post_type
  53. Restrict admin pages for specific user role
  54. How to only display all posts to a custom User Role?
  55. Allowing custom role user to edit post assigned to them but don’t let them create new custom type post
  56. Multiple useres editing specified content
  57. WooThemes – Vendors / Bookings – Allow Vendors to manage resources
  58. Capibilities of CPT WordPress
  59. How can I remove “Add new” button on custom post type
  60. Capabilities and mapping required for a role to be able to edit other’s posts of a custom type, BUT only be able to edit their own blog posts
  61. Show custom taxonomy not in submenu
  62. Weird capabilities / roles behavior
  63. Prevent author role from editing others posts
  64. creating different edit screens for different roles
  65. Capability to read user’s own draft post of CPT
  66. Custom role, capabilities, and post type: preview button wrecks things
  67. Custom post type & role issues
  68. Read-Only custom post type
  69. User roles – enable custom posts disable posts
  70. Using Custom Meta Capabilities on Custom Post Type
  71. Ajax filter with custom taxonomies
  72. Custom post type loops with different page templates
  73. How can I programmatically save data into custom fields that contain serialized data?
  74. Row actions not showing? Why?
  75. Displaying custom post type on front page
  76. How to remove default tag and category options form a custom post type admin menu
  77. A good strategy to print custom posts (offer) that are checked inside the metabox of a post?
  78. How do increase the amount of links shown down the left in the admin menu?
  79. How to display selected taxonomies by their parent
  80. Custom Field Order by Last Name and First Name
  81. How to display Custom Taxonomy under Custom Admin Menu?
  82. WordPress custom post type split into pages
  83. Assign External Database Queries to Global Variables and Make Them Accessible
  84. Query custom post types & Taxonomies and list them in a table on a page
  85. Nested Custom Taxonomies | Incorrect posts when querying
  86. Multiple custom post types showing up in edit.php
  87. How do I get the index for a custom post?
  88. Commas not displaying in implode
  89. add custom tags for custom post type in wordpress
  90. Is it a connection or relationship between 2 custom post types?
  91. Custom front-end form for adding post – Category problem
  92. get_post_meta for Custom Post Type ( CPT )
  93. How to display all custom fields associated with a post type – IN THE ADMIN AREA?
  94. Grant access to admin menu?
  95. WordPress Set A Static Page/Template For All Sub-Pages
  96. Add HTML before a specific div?
  97. How to hide home title on pages and posts?
  98. Is there any way of not using my_init_method in the following code (that creates a custom post type)?
  99. Display ONLY ONE $term (Out of 4 terms) from a Custom Taxonomy and CPT
  100. Send email on creation of custom post type and use get_post_meta()