Restrict Access not working if role can delete users

  • Resolved bckaz

    (@bckaz)


    5 years ago

    In attempting to restrict access to a field in pods, it is not working – for one of our custom roles.

    We have a role called “Site Manager” – which has many capabilities granted, although not full admin caps.

    It seems that the only way I can make it work (restrict access for Site Managers) – is to remove the delete_users cap from them.
    That is a problem – because they need to have that cap.

    Is there another way — that I can restrict access for them — but still allow them to have the delete_users cap?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Jory Hogeveen

    (@keraweb)

    Hi @bckaz

    Pods uses is_super_admin() for a check in some places (I’ll have to check). For single installations this function merely checks for the delete_users capability. See: https://developer.www.ads-software.com/reference/functions/is_super_admin/

    Have you also tried to set access restrictions based on the user role.

    Cheers, Jory

    Thread Starter bckaz

    (@bckaz)

    Hi Jory –
    We have a single installation.

    Yes, I also tried: Restrict access by Role
    – same result — it does not restrict our Site Manager role

    And, I tried: Restrict access by Capability –same result —
    – I tried different caps that our Site Manager role does not include, (i.e. update_core and update_plugins), but I haven’t yet found one that will work. . I did not try every single one. I’m happy to try more – if that is helpful ?

    The “Hide field from UI” – does hide it from Site Managers, but it also hides it from admins, so that doesn’t work.
    Similarly, the “Make field ‘Read Only’ in UI” – makes it “read only” for admins too.

    I also tried selecting multiple “Restrict Access” options simultaneously, but I did not find any ‘combo’ that would work (not that I’ve tried every possibility, there could be lots of combos available – so if there’s a combo that you would suggest – I’ll give it a go.)

    Perhaps there is a way – to Restrict Access – via user ID ?
    — if so, I would need to enter more than one userID – as we have more than one admin.

    I could add a function to our child theme . . . although I’d likely need some help writing it – my PHP skills are minimal.

    Let me know – if there are more ideas that I can test?

    Plugin Author Jory Hogeveen

    (@keraweb)

    In that case I’m sure it’s the is_super_admin() check that overrules. What WordPress considers a “super admin” should always have full access.
    Related topic here: https://github.com/pods-framework/pods/issues/2311

    You can always overwrite this behavior using the pods_admin_capabilities filter.
    This currently copies WordPress behavior (delete_users). You can change this to any capability you want:

    
add_filter( 'pods_admin_capabilities', function( $caps ) {
    return array( 'your_capability_used_for_admins_only' );
} );

    Cheers, Jory

    Thread Starter bckaz

    (@bckaz)

    Jory – THANK YOU!

    It does appear that this will work!
    I can’t thank you enough – as I wouldn’t have known how to write the add_filter for this.

    Thanks again!
    You’re awesome!

    Chris

    Plugin Author Jory Hogeveen

    (@keraweb)

    You’re welcome! The best way to say thanks is to leave a 5 star review at https://www.ads-software.com/plugins/pods/ and (if you’re feeling especially generous) become a Friend of Pods at https://friends.pods.io/

    Cheers, Jory

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Restrict Access not working if role can delete users’ is closed to new replies.