Restrict editing of post type to list stored in user meta

Ideally access controls would be implemented via WordPress’s Roles and Capabilities system. But in highly-granular cases such as limiting access to a single post to a few users, the map_meta_cap filter can be used to shim in additional restrictions.

In this case, when WordPress is testing an edit_post capability for a user/post combination, we can deny access based on your custom meta field:

function wpse406371_restrict_affiliate_page_edit( $caps, $cap, $user_id, $args ) {
  if( $cap !== 'edit_post' )
    return $caps;

  $post_id = $args[0];

  if( get_post_type( $post_id ) !== 'affiliate' )
    return $caps;

  $affiliate = get_field( 'field_627ff399b5ef6', 'user_' . $user_id );

  if( empty( $affiliate ) )
    return $caps;

  $affiliate_page_id = $affiliate[0]->ID;

  if( $post_id == $affiliate_page_id )
    return $caps;

  $affiliate_child_page_ids = get_children([
    'post_type'   => 'affiliate',
    'post_parent' => $affiliate_page_id,
    'fields'      => 'ids',
  ]);

  if( !in_array( $post_id, $affiliate_child_page_ids ) )
    $caps[] = 'do_not_allow';

  return $caps;
}

add_filter( 'map_meta_cap', 'wpse406371_restrict_affiliate_page_edit', 10, 4 );

The above will be executed whenever WordPress tests a user’s capabilities for an action. In the cases that the capability check is not for editing a post, the post is not an affiliate-type, or the user does not have field_627ff399b5ef6 meta-data, the check will return the unmodified capabilities early in order to mitigate additional work.

Checking if the post being edited is the parent affiliate post is performed early in order to skip the post query if possible.

I’ve also added the 'fields' => 'ids' argument to the child page query to save on overhead by only retrieving post IDs instead of querying full rows – but I still feel this could be an overly-expensive operation on a capabilities check. You might consider caching the post IDs in user meta sometime in the future should you determine that the query adds notable overhead.

Finally, if the current post’s ID is not present in the queried ID list, the function adds the do_not_allow capability which will natively deny the user access. This will effect all core methods of editing a post – the Quick Edit form, via REST API, etc.

Related Posts:

  1. WP Admin Bar frontend issue with dashicon deregister
  2. How to know what functions are hooked to an action/filter?
  3. Is there a hook that runs after a user logs in?
  4. Why do some hooks not work inside class context?
  5. Please explain how these hooks work
  6. Hook after image is uploaded and image sizes generated
  7. How to remove action hook done in a plugin from functions.php in my theme?
  8. trigger save_post event programmatically
  9. How to check if which hook triggered the call to a function?
  10. is it possible to get the hook name in add_action?
  11. Run javascript code after wp_login hook?
  12. How to make post and comment count unclickable with dashboard_glance_items hook
  13. Redirect logged in users if they are on a specific page
  14. Check if action hook exists before adding actions to it
  15. Hooks are not executing
  16. after login that will redirect user role into a page
  17. add_action on inherit post status
  18. Detect type of post status transition
  19. Create hooks based on an array of hook names?
  20. Hook before inserting user into database [duplicate]
  21. action lifecycle
  22. Custom function for “Submit for Review” hook
  23. Is there a recover_post hook to go with trash_post hook?
  24. Redirect users on specific post category or category page
  25. How can i trigger an action manually?
  26. How to get post ID in post_updated action hook?
  27. Run add_action hook if condition
  28. Empty Super Cache programmatically (with ACF action) [closed]
  29. What is the best filter where to use register_block_type?
  30. How to use do_action_ref_array?
  31. Admin Hook at the Login Page
  32. Check if do_action(‘custom_action’) is hooked into?
  33. How to find hooks as per Just-In-Time approach?
  34. How To Make Sure That My Action Hook Executes Last
  35. Does update_comment_meta hook exists?
  36. how to determine how many and what kind of arguments are passed to hooks
  37. Hooking into the init action will fire it too frequently?
  38. Event-Driven Pattern vs MVC?
  39. Implement Hooks Using Array
  40. Save acf field data via acf/save_post before post is saved
  41. How do I trigger a post update within a get_posts() foreach loop?
  42. Hook when editing user
  43. schedule event in class oriented plugin
  44. Add action hook into wp_localize_script
  45. Hooks are not being removed in child theme
  46. How to replace a function using a child theme?
  47. Removing parent theme action on pluggable function not working
  48. Which action hook should I use to intercept a form upon submission?
  49. How do I prevent term from being created on create_term hook?
  50. Would there be anything stopping me from removing both wp_head and wp_footer?
  51. WordPress wp_loaded action hook
  52. add_action second argument missing
  53. I would like to send a notification email (Asana) whenever something is published (posts, pages, custom post types) [duplicate]
  54. admin_notices action doesn’t trigger within save_post action
  55. Check if `do_action()` in WordPress returns any result
  56. How to cancel an action hooked to untrash_post? or any hook
  57. add_action hook for publish_post not working
  58. How to perform action when plugin/theme editor is used?
  59. How to run a function after wp() in the wp-blog-header.php file?
  60. Hook for inserting?
  61. Notify admin when Custom post meta data gets updated or deletet
  62. dynamic add_action according to child pages (for homepage control)
  63. Remove action in a parent theme from the child theme
  64. Remove action within a class in a parent theme’s includes folder from the child theme
  65. Action hook with wrapper html
  66. A good hook to check authorization and redirect?
  67. What hook to use to redirect based on $post
  68. Change status of page after an event (Looking for best practice advice)
  69. Post via wp-admin and via iOS app, same hooks and triggers involved?
  70. How to stop execution of a function via add_action hook?
  71. Can we change the hook firing sequence?
  72. changing genesis_before_while in new theme framework
  73. Rewrite the search page to use an appended slug + parameter
  74. Session management issues with WordPRess 404 Error page
  75. Struggling with plugin dev basics: add_action
  76. RTrouble passing arguments to action
  77. How to hook add_action() into after category description with id?
  78. remove_action not working for a function
  79. do_action not working in loop
  80. add_action doesn’t work for my function
  81. profile_update hook does not fire from front-end
  82. Add HTML code before the title of the Tag page
  83. How can I insert custom html code inside a div dynamically?
  84. How to trigger click events using hooks
  85. Hooks with same priority number. Can one stack items returned in divs, position: absolute each with their own z-index?
  86. Can add_image_size be added earlier
  87. Why does get_post() not return anything?
  88. WordPress save_post hook not firing when checking if _GET[‘post’] is set
  89. Using actions, hooks and filters in a non-WordPress page
  90. addaction hook cause redirection problem
  91. When is get_currentuserinfo() needed?
  92. How do I remove an action hook by s2member
  93. Which hook should I use for this scenario regarding the registration process and account/profile update?
  94. can’t access dashboard and showing forbidden page
  95. Redirect back to origin page after using get_delete_post_link()
  96. How do I override the user’s input when updating a custom post type’s permalink?
  97. admin_post hook not working
  98. add_action failed to display function by a plugin
  99. How do I set a custom post type Category after import using wp_set_post_terms
  100. Hooks to trigger a callback when adding, removing, rearranging or updating a widget in the widget area