Prevent custom user role to add new pages

Post types in WordPress have a list of capabilities that govern permissions surrounding them. These are:

edit_post
read_post
delete_post
edit_posts
edit_others_posts
publish_posts
read_private_posts
read
delete_posts
delete_private_posts
delete_published_posts
delete_others_posts
edit_private_posts
edit_published_posts
create_posts

Internally each post type matches these to the actual capabilities that can be given in WordPress. Most of the time these have the exact same name. So the edit_posts capability of the post post type is edit_posts, while the edit_posts capability for the page post type is edit_pages.

The one exception to this is create_posts. This is the post type capability that WordPress checks to decide whether a user can create a new post of that type. It checks this:

if ( current_user_can( get_post_type_object( 'page' )->cap->create_posts ) ) {}

Unlike the other capabilities, for posts and pages create_posts is actually mapped to edit_posts and edit_pages respectively, not create_posts or create_pages, which don’t exist.

So if you printed get_post_type_object( 'page' )->cap->create_posts you’d see that the value is edit_pages, and users with that capability can see the Add New button. Because this is edit_pages and not publish_pages, it allows users to create new pages and posts even if they can’t publish them, they’ll just be put into pending review, which is the behaviour you want to prevent.

For custom post types you can control this behaviour by setting create_posts in the capabilities argument to something else:

register_post_type(
    'my_custom_type',
    [
        'capabilities' => [
            'create_posts' => 'manage_options',
        ],
    ]
);

For that custom post types, only users with manage_options will be able to add new posts.

For the built in post types you can use the register_post_type_args filter to set this capability however you’d like for the default post types:

function wpse_342743_create_page_capability( $args, $post_type ) {
    if ( 'page' === $post_type ) {
        $args['capabilities'] = [ 
            'create_posts' => 'manage_options',
        ];
    }

    return $args;
}
add_filter( 'register_post_type_args', 'wpse_342743_create_page_capability', 10, 2 );

With that code only users with manage_options will be able to create new pages, but they will still be able to update them without review if they otherwise have edit_pages and publish_pages. You can change this capability to be delete_pages so that only users who can delete pages can create them, or you could pass your own custom capability that you’ll give to users to give them the ability to create pages.

Related Posts:

  1. Is there way to rename user role name without plugin?
  2. How to create a clone role in wordpress
  3. How to add a Capability to a User Role?
  4. How can I get a list of users by their role?
  5. How do I make a draft post accessible to everyone?
  6. Reset default roles and capabilities
  7. add_role() run only once?
  8. What do unfiltered_html and unfiltered_upload actually filter?
  9. Temporary capability for current_user_can()
  10. Allow roles below admin to add subscribers only
  11. Temporarily give ‘manage_options’ capability
  12. Hide specific admin users’ posts
  13. Allow authors to edit only certain users
  14. How to update role capabilities
  15. Do custom user roles have any default capabilities?
  16. How to programmatically add a user to a role?
  17. how to add custom user capabilities using add_user_meta or something else?
  18. Allow user to Publish, but not Edit or Delete
  19. Email notification for editors only
  20. Shold I manually add ‘cap’ to admin role ?
  21. Allow users to publish child pages of the pages they have access to edit
  22. New Roles and Capabilities in WordPress
  23. Why is wp-login redirecting to the home page when I use this function?
  24. Allow contributor to view own scheduled post
  25. How to prevent users with “edit_others_posts” capability from editing admin posts
  26. Author Role – Allow editing of Gallery images
  27. What is the difference between “create_users” and “add_users” capabilities?
  28. How to get all users with Author role capabilities?
  29. How to check if a role has a specific capability
  30. Locking Down WordPress Application Password Permissions / Capabilities
  31. Allow user to edit specific user with meta key using map_meta_cap
  32. How to remove sticky post capability for a specific user role?
  33. Let new user role to ‘edit_others_posts’ of other user role, not of its own type
  34. How can I have different groups of editors only allowed to edit certain parent+subpages?
  35. The delete_posts capability?
  36. How to restrict access to specific pages on the back-end?
  37. Capabilites not working [closed]
  38. add_menu_page() for more than one user role
  39. Remove wordpress author’s capability to moderate comments on their own posts
  40. Can you set a role as author?
  41. Prevent Editors from Editing/Deleting Admin Accounts
  42. Where are the WordPress capabilities stored?
  43. Adding Capabilities to a WordPress User Account
  44. Adding an additional role to an Administrator
  45. Custom user roles for access to specific parts of the site
  46. Pending status by default for a specific role
  47. How do I restrict user access to plugins?
  48. My subscriber has the “edit comment” capability but can’t edit comment
  49. Show metabox for a special role
  50. User Role Capabilities for WordPress Gutenberg Blocks
  51. Subscriber (with read permissions) cannot view Private posts
  52. How can I add a custom role capability to use in a custom plugin?
  53. bbPress plugin moderator roles
  54. Allowing user to edit posts based on the post status
  55. Custom capabilities to add, edit, remove users of a particular role only?
  56. Stop users of author role from editing already pending posts
  57. add_role user capability not working
  58. Purpose of Adding Capability to Role But Not Grant?
  59. How can I promote a user to a network administrator?
  60. Reset Roles (or undo role changes on theme change)
  61. How to get a users list by who created them?
  62. Authorize users for specific pages and/or categories
  63. Custom Capabilities for CPT and Problem with current_user_can()
  64. Custom wordpress admin page/url “You do not have sufficient permissions to access this page.”
  65. Hiding custom theme functionality using capabilities
  66. user_can() not working for comment authors
  67. Which capabilities are available in Gravity Forms Salesforce plugin? [closed]
  68. How to write conditions based on user capabilities not on user role?
  69. What Capability is required to let a role RUN code in Edit Theme?
  70. Want to know parameters that can be passed to user_can() for access control by user capabilities
  71. Create sub-administrator role that can do everything except use or see the code editor
  72. Let editors view post in admin but not be able to perform a save/edit
  73. Capabilities don’t add
  74. Require Capability to View Woocommerce Product
  75. User role editor – Add download files capability
  76. Why can my subscribers create new posts for review?
  77. Disabled delete_others_posts if post is from admin
  78. How can I check if a visitor can read a post?
  79. How to query users to count all with a custom capability and limit it to a set of roles?
  80. Adding all custom capabilities to admin
  81. User role and capablities only for 1 plugin
  82. How to give plugin access to specific role(s)
  83. current_user_can( ‘edit_user’ ) does not work
  84. How to restrict subscriber editing other posts but read specific posts in backend
  85. Create role that can edit some user details, but not the role
  86. How can I add capability to multiple roles?
  87. Role and Capabilities: How do I allow user role to access theme options without enabling ‘manage_options’?
  88. Custom Gutenberg Block and unfiltered_html capability
  89. Best practices to handle multilpe roles and capabilities?
  90. Enable plugins for a specific user role
  91. Check what capabilitie(s) an action requires
  92. Why does user_can return false for a capability during plugin deactivation?
  93. Force “submit for review” on update?
  94. Users can only save their draft once before saving for revision
  95. Hide user fields based off capability
  96. Author capabilities: Deleting comments on their own published posts
  97. Need to create admin user without capability to create user
  98. How do I make a draft post accessible to everyone?
  99. Grant access to admin menu?
  100. How might I enable a user to view Draft pages from a different Author, without the ability to edit?