Limit user access

Another approach could be a way to assign user ID who can access the rollback function. I let clients activate and deactivate plugins but not install/delete/update plugins – this is why I’m asking to see if there are any solutions for this.

Hi @dmori,

That’s an interesting suggestion. WP Rollback already enforces that the user must have the capability to update plugins/themes, which seems to be the most natural choice. Why would you want them to see the plugins list and be able to activate/deactivate but not Rollback (for example). Still, I can see the value in that.

We’re pretty committed to NOT adding an options page for this plugin but we could add a filter that would give you the ability to control that via a Core Functionality plugin.

Out of curiousity, why would you want it set to updated_core instead of update_plugins? Is this by chance on a multi-site environment? Help me understand the context a little more. Thanks!

Thanks for responding so quickly. I let clients activate or deactivate plugins so they can choose if they want to use a particular functionality, without me having it active by default. Other plugins I don’t want them to touch are hidden from view.

In order to give them this access I have limited certain functionality to update_core – so they can have all the benefits of using wordpress without making an mistakes. We do all plugin updates etc… so they don’t have to think about it. So what I’ve done is remove certain admin functions but allowed others.

I thought that maybe a snippet can be added to functions.php for this functionality which would still preserve your slick user-experience (I really like that there is no options page)!

It’s not anything we would need to add on our side. You could remove our actions based on however you determine they have access. Maybe a role capability you invented?

Here’s an untested gist you could try:
https://gist.github.com/drrobotnik/293f9aafd03bc7b51506

How can I remove the actions based on role type (i.e owner) rather than capability?

Hey dmori,

You’ll need to read about how WordPress handles User Roles and Capabilities. There is nothing preventing you from creating your own “Owner” role. From the code side you’ll still be referencing the capabilities you create for your client. Once you have the role and cap set up, you just need to look at the gist I shared and change line 6 to fit your needs.

I tried a combination of many things which didn’t hide rollback from the plugins page. I tried for example:

edit_theme_options
delete_plugins
activate_plugins
create_users
edit_pages

etc…

Just to clarify above. If for example I add:

if( ! current_user_can( ‘activate_plugins’ ) ) :

The user gets following message when they click on Rollback: ‘You do not have sufficient permissions to access this page.’

However, I want to completely hide Rollback link from the plugins page for this user. The above code doesn’t enable me to do this also.