Meta capabilities for custom post types

Published by Justin Tadlock on July 10, 2010 | 99 Responses

While I was fiddling around with a new plugin that uses custom post types for WordPress the other day, I ran into a small issue that I hadn’t noticed before. Meta capabilities for custom post types were not being automatically mapped, so I couldn’t have granular control over permissions.

At first, I was a bit disappointed that this wasn’t taken care of because this would be a major blow to my plugin. However, I soon learned this could be considered a great feature rather than a bug.

Andrew Nacin mentioned that we’d need to “roll our own handling” for capabilities using the map_meta_cap hook. This hook gives you control over the meta capabilities as well as the power to step outside of the WordPress way of doing things. The more I play around with it, the more I’d rather WordPress not automatically map these.

Before reading on, please note that this is only an issue/feature if you’re using custom capabilities for your post types. If not, this might not interest you much.

What are meta capabilities?

Meta capabilities are capabilities a user is granted on a per-post basis. The three we’re dealing with here are:

edit_post
delete_post
read_post

For regular blog posts, WordPress “maps” these to specific capabilities granted to user roles. For example, a user might be given the edit_post capability for post 100 if they are the post author or have the edit_others_posts capability.

When using custom post types, this mapping doesn’t happen automatically if you’re setting up custom capabilities. We have to come up with our own solution.

In this tutorial, I’ll be using the movie post type, so the above three meta capabilities for our purposes will be:

edit_movie
delete_movie
read_movie

Setting up your custom post type

At this point, I’ll assume you’re familiar with creating custom post types. If not, you’ll want to read through my detailed tutorial on them. The code presented below will be an abridged version of what you might use.

We’re going to focus on two arguments, capability_type and capabilities. These control the permissions for what a user with a specific role can do with the post type.

As mentioned earlier, the post type we’re going with is movie. So, let’s set up that post type:

add_action( 'init', 'create_my_post_types' );

function create_my_post_types() {
	register_post_type(
		'movie',
		array(
			'public' => true,
			'capability_type' => 'movie',
			'capabilities' => array(
				'publish_posts' => 'publish_movies',
				'edit_posts' => 'edit_movies',
				'edit_others_posts' => 'edit_others_movies',
				'delete_posts' => 'delete_movies',
				'delete_others_posts' => 'delete_others_movies',
				'read_private_posts' => 'read_private_movies',
				'edit_post' => 'edit_movie',
				'delete_post' => 'delete_movie',
				'read_post' => 'read_movie',
			),
		)
	);
}

I’ve also added in a couple of extra capabilities that were not shown in my previous tutorial on post types: delete_posts and delete_others_posts. We’re going to use these to give people the ability to delete posts (movies).

Assigning capabilities to roles

To assign specific capabilities to roles, you’re going to need a role management plugin. A good one to use is my Members plugin. You could code this if you wanted, but it’s a bit outside the scope of this tutorial.

What you need to do at this point is assign capabilities to the roles that should have them. Just be careful not to give too much power to the wrong roles.

publish_movies: This allows a user to publish a movie.
edit_movies: Allows editing of the user’s own movies but does not grant publishing permission.
edit_others_movies: Allows the user to edit everyone else’s movies but not publish.
delete_movies: Grants the ability to delete movies written by that user but not others’ movies.
delete_others_movies: Capability to edit movies written by other users.
read_private_movies: Allows users to read private movies.
edit_movie: Meta capability assigned by WordPress. Do not give to any role.
delete_movie: Meta capability assigned by WordPress. Do not give to any role.
read_movie: Meta capability assigned by WordPress. Do not give to any role.

Just to say it again: it is important that you don’t assign those last three capabilities to any role. These are our meta capabilities that we’ll be mapping in the next section.

Mapping the meta capabilities

This part is completely customizable. What we’re doing here is filtering the map_meta_cap hook so we can do our own mapping. What this means is that users will be granted meta capabilities on a per-post basis so they can do things like edit their own posts.

I’m going to keep it extremely simple and follow my notes from the previous section. If you wanted, you could do all kinds of crazy things here.

You can simply drop the below in your plugin or theme’s functions.php (whichever you’re using) and be done with it. It’ll follow the rules I set forth above.

add_filter( 'map_meta_cap', 'my_map_meta_cap', 10, 4 );

function my_map_meta_cap( $caps, $cap, $user_id, $args ) {

	/* If editing, deleting, or reading a movie, get the post and post type object. */
	if ( 'edit_movie' == $cap || 'delete_movie' == $cap || 'read_movie' == $cap ) {
		$post = get_post( $args[0] );
		$post_type = get_post_type_object( $post->post_type );

		/* Set an empty array for the caps. */
		$caps = array();
	}

	/* If editing a movie, assign the required capability. */
	if ( 'edit_movie' == $cap ) {
		if ( $user_id == $post->post_author )
			$caps[] = $post_type->cap->edit_posts;
		else
			$caps[] = $post_type->cap->edit_others_posts;
	}

	/* If deleting a movie, assign the required capability. */
	elseif ( 'delete_movie' == $cap ) {
		if ( $user_id == $post->post_author )
			$caps[] = $post_type->cap->delete_posts;
		else
			$caps[] = $post_type->cap->delete_others_posts;
	}

	/* If reading a private movie, assign the required capability. */
	elseif ( 'read_movie' == $cap ) {

		if ( 'private' != $post->post_status )
			$caps[] = 'read';
		elseif ( $user_id == $post->post_author )
			$caps[] = 'read';
		else
			$caps[] = $post_type->cap->read_private_posts;
	}

	/* Return the capabilities required by the user. */
	return $caps;
}

Now taking questions

I realize there’s still quite a few things that I might not have covered in my tutorials on post types so far. Some people have probably figured these out by now, but others of you may be stuck.

Feel free to ask any questions you have about post types, and I’ll see about answering them or writing more tutorials based on your suggestions.

Articles in this series

A WordPress forum plugin using custom post types
Meta capabilities for custom post types
Custom post types in WordPress
Showing custom post types on your home/blog page

99 Responses

Andrew Nacin July 10, 2010 at 8:42 am | Permalink

Nice write-up — beat me to it. We’re probably going to implement opt-in mapping in 3.1.

Just a note, if you do give a role a meta capability, the sky won’t entirely fall on your head, assuming you have the underlying mapping code. When you return $caps, as long as the meta capability isn’t in there (which it should never be, under a typical mapping routine), then it doesn’t matter if the role/user has it, because it won’t be checked.

Of course, it’s correct practice to stick to giving roles and users the primitive capabilities instead.

Reply
1. Justin Tadlock July 11, 2010 at 7:03 pm | Permalink
  
  Opt-in mapping would be good. There are some projects where I need it completely custom and others where I just want the basic mapping.
  
  Reply
Saad Bassi July 10, 2010 at 8:54 am | Permalink

Another awesome article as usual. I just love how much I have learnt from you. Thanks a lot for all these tuts Justin. You Rock

Reply
1. Justin Tadlock July 11, 2010 at 7:04 pm | Permalink
  
  You’re welcome. I’ve got plenty more coming. Now, I just need to find the time to write them.
  
  Reply
paul July 11, 2010 at 10:40 am | Permalink

Is it possible to limit an author to see only his posts in the backend?

Reply
shawn July 11, 2010 at 5:14 pm | Permalink

+1 on paul’s question.

It’s rather confusing when you have hundreds of authors for them to have to sort through all the other users posts (custom) in order to find their own articles to edit.

How is this done?

Reply
Justin Tadlock July 11, 2010 at 6:57 pm | Permalink
First, you guys should know that users have a link called “Mine” that lists just their posts. They don’t have to wade through other people’s posts just to find theirs.

But, a quick and dirty hack to hide these would be to add styles for people that you want to hide these posts from. Something like:
```
add_action( 'admin_head-edit.php', 'my_admin_css' );

function my_admin_css() {
	if ( current_user_can( 'edit_others_posts' ) )
		return;
	?><style type="text/css">td.author-other { display: none !important; }</style><?php
}
```
Of course, edit_others_posts is just an example of a capability for regular blog posts and will need to be changed depending on the scenario.
Reply
Andrew July 11, 2010 at 9:10 pm | Permalink

Like Saad, I also love reading your blog because of all these tutorials you’re posting that’s easy to understand and follow. Looking forward to more of your tutorials. More Power!

Reply
imarvic July 14, 2010 at 5:44 am | Permalink

This information has been genuinely clearly penned, and it also has a great many interesting facts. I loved your professional manner of composing the posting. You have definitely made the idea easy so that i can fully grasp.

Reply
Koty July 15, 2010 at 4:30 pm | Permalink

This information has been interesting.
Thanks

Reply
Steve Marino July 17, 2010 at 7:53 pm | Permalink

Thanks a lot, not just for this but for the rest of your tutorials. Really is a Wordpress For Dummies and this particular dummy if very grateful.

Reply
kosaidpo July 19, 2010 at 9:59 am | Permalink

hi great content ive been readin your articles lately got nethin to say except great …

im just wondering how i can give users the right to edit only a certain custum post type and not standard ones too any thoughs

and tnx for ur great articles once again

Reply
1. Justin Tadlock August 4, 2010 at 3:39 am | Permalink
  
  You’ll need to give them the custom capabilities from your post type with a plugin like Members.
  
  Reply
  1. Purushottam Kushwaha August 22, 2011 at 4:43 am | Permalink
    
    member plugin is helpful but, as soon as i define new custom post type with capabilities array, it doesn’t show up even in dashboard sidebar.
    
    does this mean that my register_post_type was not executed successfully or
    was this post for previous versions of wordpress(version < 3.0) .
    
    Can It still be implemented?
    
    help me out I m in great need of this.
    Thanks in advance
Rick July 25, 2010 at 11:40 am | Permalink

Hi Justin,

Excellent site. I have been reading through and utilizing your articles for quite a few months and would like to say thanks for providing your insight and skill for our benefit.

The issue I am facing is that, logged in as admin (non-multisite), I am not able to edit custom post types created by wp_insert_post(), regardless of the capability_type and capabilities settings. I can, however, create and edit a post of custom type through the admin interface, but only when capability_type is post, and capabilities is not defined. In fact, when capability_type or capabilities are defined, the custom post types are not displayed in the admin interface. The map_meta_cap function appears to be the solution, but I have not had any success using it to solve this issue. I have also read the trac topics with no success.

My goal is similar to, kosaidpo, in that I need to have a custom post type visible and editable to only the post author, and the necessary administrative roles.

Are there specific idiosyncrasies I am missing? I appreciate any insight you or your readers can offer. I know that this issue is most likely due to pilot error. :-]

Thanks again for your contributions!

Reply
1. Justin Tadlock August 4, 2010 at 3:41 am | Permalink
  
  It’s most likely just an oversight somewhere in your code. If you’ve followed my previous tutorial on custom post types and created your own map meta cap function like above, there shouldn’t be any issues.
  
  Reply
2. Fabio September 10, 2010 at 6:42 am | Permalink
  
  Hello
  I have your same problem, do you have resolved anyway?
  I have follow at line tutorials but when I add capabilities to my custom type I am not able to publish and see post of defined custom type.
  How can be fixed?
  Thanks
  
  Reply
Justin Tadlock — Jan Boddez July 27, 2010 at 3:56 pm | Permalink
karim July 28, 2010 at 11:51 am | Permalink

Thanks a lot, not just for this but for the rest of your tutorials. Really is a Wordpress For Dummies and this particular dummy if very grateful.

Reply
Arti August 1, 2010 at 10:01 am | Permalink

Really appreciate the info you provide Justin. Thanks a lot.

Reply
Sammy August 1, 2010 at 4:41 pm | Permalink

Thanks for sharing this. Also, the hack with regards to authors only seeing their posts gets a huge thumbs up.

Reply
Aris August 2, 2010 at 11:54 am | Permalink

This can maybe help…

Map Cap: “Install this plugin to control which roles can publish, edit and delete posts of each custom type.”

http://wordpress.org/extend/plugins/map-cap/

Not tested.

Reply
1. Justin Tadlock August 4, 2010 at 3:42 am | Permalink
  
  Looks like it might be a cool plugin.
  
  Reply
Helen Hou August 9, 2010 at 1:49 pm | Permalink

THANK YOU for this. It finally allowed me to figure out why I couldn’t view single posts of a custom post type unless I was logged in and fix it. However, a note: I am using Role Scoper (1.2.8 Beta 5, which works with CPTs on a multisite install) and actually mapping the capabilities using map_meta_cap broke the permissions I was setting using RS. I can still assign roles just fine with RS. In my case, I am assigning a single person to a single post for the most part, so I haven’t done too much experimenting, but it’s worth noting.

Reply
مصطفى August 18, 2010 at 5:47 am | Permalink

THANK YOU for this. It finally allowed me to figure out why I couldn’t view single posts of a custom post type unless I was logged in and fix it. However, a note: I am using Role Scoper (1.2.8 Beta 5, which works with CPTs on a multisite install) and actually mapping the capabilities using map_meta_cap broke the permissions I was setting using RS. I can still assign roles just fine with RS. In my case, I am assigning a single person to a single post for the most part, so I haven’t done too much experimenting, but it’s worth noting.

Reply
Mindfriction August 25, 2010 at 2:04 am | Permalink

Hi

How would I make the map meta function be more generic and work with multiple custom post types?

Great tutorials by the way – i’ve bookedmarked your site now

Reply
1. Cristiano September 19, 2010 at 10:53 am | Permalink
  
  I have the same quastion!!!
  Thanks Justin for your excelent posts!
  
  Reply
Alison Barrett August 26, 2010 at 6:02 pm | Permalink

Justin, thanks for the awesome tutorial. This really helped me wrap my head around the way capabilities work, which had previously seemed magical and mysterious to me.

I’m working on a school website where parents can log in and edit their own students. The students are custom post types, the parents are users. The problem I’m running into is that students need to be associated with more than one parent, I can’t use author-based capabilities to limit their access to students in general. I’m stuck either blocking edit capabilities for all students or allowing them for all students.

I have parents attached in a post meta field by user ID. I’ve tried this in the IF statements in your code:

in_array($user_id, get_post_meta($post->ID, ‘parent’))

Using that instead of $post->post_author isn’t working. Any advice? I know this is a complicated question, but I’ve been working on this for a while and I’m completely stuck.

Reply
1. Paul Novitski August 31, 2011 at 12:01 am | Permalink
  
  Alison, did you find a solution to this problem of wanting more than one user with permissions to edit one post?
  
  Just musing: creating a unique new role for each student and assigning that student’s parents to that role sounds ridiculous but might work if it didn’t gum up the works~
  
  Reply
nomadone September 6, 2010 at 2:48 am | Permalink

Really great articles on Custom Post Types Justin, we really appreciate it. Does anyone know whether it’s via code possible to force textarea meta fields to use a wysiwyg editor instead of just a plain text editor.

I noticed some meta box plugins have implemented this but so far haven’t found any reference to achieving this manually.

Reply
Richard September 20, 2010 at 2:16 pm | Permalink

Justin,

You say that you’re dealing with the following three meta capabilities: edit_post delete_post read_post
What other meta capabilities are there?
The codex doesn’t give any information on edit_post delete_post read_post
Why are these capabilities so important?

Richard

Reply
ErisDS November 9, 2010 at 10:42 am | Permalink

Just wanted to drop by and say THANK YOU for this post (and the Members plugin).

I am currently having my first dig around the CPTs, translating some hacked up Pods & I needed tight control over who can edit what. Seems I hadn’t quite grasped the difference between the primitive and meta capabilities and I was just starting to dig around for a way to implement what I needed.

This post just explained everything I needed in a nutshell, wicked

Reply
Custom Post Types in WordPress « Machina.LA November 23, 2010 at 5:31 pm | Permalink
Lucas November 28, 2010 at 11:13 pm | Permalink

This was extremely helpful! I was working on this for a week before I stumbled across your site.

I have a question. How can I set the custom post status back to “Pending Review” automatically if a contributor changes content in a published post?

Reply
1. Jonathan Wold December 13, 2010 at 3:21 pm | Permalink
  
  I’m working on the same question – haven’t found the answer yet, but I’m diligently searching.
  
  Reply
  1. bluantinoo September 27, 2011 at 6:51 pm | Permalink
    
    For that i would suggest using “revisionary” plugin.
سـموئل گـرافیک December 10, 2010 at 10:40 am | Permalink

Thanks Jastin. Great Tuts.

Reply
Tony Zeoli December 27, 2010 at 6:28 pm | Permalink

Hey Justin:

Just trying to figure out why “contributors” is not showing up on a post type we’ve created called “articles”.

We need to assign current users to posts in “articles.”

Isn’t “contributors” supposed to appear by default in the post editor once you create the post type?

Reply
Dan F. January 3, 2011 at 3:17 am | Permalink

Hi Justin,

great article, really helpful. I have a small (I hope ) problem, though.

I have a custom post type and a custom role. I want to be able to set the author of a “custom” post to a user with the “custom” role, but the user(s) doesn’t show up in the author dropdown in the editor. No mather what capabilities I give them the dropdown only lists the “Administrators”.

So the question is do you know a way to force the drop down to list all users?

Thanks.

Reply
1. Justin Tadlock January 3, 2011 at 11:04 pm | Permalink
  
  I think there’s a bug with this in the 3.0 branch. You should check WordPress 3.1 to see if this has been fixed.
  
  Reply
2. Rutwick August 9, 2011 at 4:13 am | Permalink
  
  Hi Dan,
  
  I had emailed you to know if you found any solution for the switch user dropdown not listing custom role users. If you haven’t yet, then a workaround that I wrote may be useful to you.
  
  Thanks,
  Rutwick
  
  Reply
Nicolas February 6, 2011 at 2:25 pm | Permalink

hi there Justin,
once again, countless thanks for your great work, and thanks for “sharing your wisdom with us” .

I followed both tutorials (custom posts & this one) to the letter, and I got something quite strange :
I created a custom content named “company”. I also created a custom role named “agent”. This role is allowed to submit companies but not to publish them.

The agent guys log in, create new companies and submit them. So far, so good.

My problem is that even with admin account, I can’t see the companies created by agents : the system behave as if I was like another agent, just granted to see the list entry but not being permitted to modify, or publish it.

Is there anything to add in this case in the map_meta_cap filter?

Your answer will be a relief !! Fighting with taht for 2 days…

Manye thanks again,

Nicolas

Reply
1. Dasha September 14, 2011 at 6:43 am | Permalink
  
  Hello Nicolas,
  
  Have you figured out what was the problem with it? I have similar situation. Would appreciate any tips!
  
  Thanks,
  Dasha
  
  Reply
Rhys L. Bartels-Waller February 25, 2011 at 7:42 pm | Permalink

Great write up, but I think an update to show the correct use of the map_meta_cap param now 3.1 is out would just finish this off.

Rhys

Reply
sebastien February 27, 2011 at 6:09 pm | Permalink

what’s about map_meta_cap in wp3.1
what must i use this ?

Reply
Roles and Capabilities for Custom Post Types | Adventures with Wordpress March 5, 2011 at 3:34 am | Permalink
Jesse Miles Miller April 6, 2011 at 4:25 pm | Permalink

I’ve been using a custom post type called ‘listing’(s) for a few months now and I am now adding the capability for Authors to edit their own listings once the Admin has initially set one up. my Listings share the post Categories and a custom taxonomy called Amenities with: ‘taxonomies’ => array(‘category’, ‘amen’)
I’d like to be able to restrict the Authors to being able to Change their own listing’s Amenities only, but when I change their Role to not allow manage_categories then whatever Categories where there get wiped. Plus the Amenities need to be select only instead of allowing them to create new ones.

I guess my Question is:
do I need to setup similar ‘capabilities’ for my taxonomies as well, in order to accomplish this, or just give Authors more access then I’d prefer and hope they don’t screw anything up?

Reply
Rutwick April 28, 2011 at 5:39 am | Permalink

Hi,
Need some help. I tried to change the capability type to ‘company’ (its my custom post type) and the capabilities to ‘edit_company’, ‘read_company’ etc. But I’m getting the error message ‘Cheatin uh’?’ ! I just want to allow a user see only his company type custom post. The user is registered with ‘Contributor’ role (this was the only one that I found allows the user to see only his posts!) and I’m removing some of his capabilities through my code. I don’t want him to see the ‘Posts’, ‘Comments’ sections in the dashboard, but removing ‘edit_posts’ and ‘moderate_comments’ also disables the ‘Companies’ custom post section. Any workaround for this?

Thanks for the article.
Rutwick

Reply
Rutwick April 28, 2011 at 7:38 am | Permalink

Hi Justin,
I figured it out! I hadn’t duplicated all the capabilities and directly added those 3 meta capabilities, so it wasn’t working! Thanks if you were planning to answer my first comment

(BTW, I commented on your ‘Custom Posts’ post by mistake instead of here cuz I had opened both of them in my browser. Don’t mind!)

Rutwick

Reply

Rutwick April 29, 2011 at 1:21 am | Permalink

Hi Justin,
I’m getting the ‘Cheatin’ uh?’ error message again! Here’s how I’m creating my custom post…

add_action('init', 'createCompanyCustomPost');
function createCompanyCustomPost()
{
	
	$labels = array(
		'name' => _x('Companies', 'post type general name'),
		'singular_name' => _x('Company', 'post type singular name'),
		'_new' => _x(' New Company', 'company item'),
		'_new_item' => __('New Company'),
		'edit_item' => __('Edit Company'),
		'new_item' => __('New Company'),
		'view_item' => __('View Company'),
		'search_items' => __('Search Companies'),
		'not_found' =>  __('No Companies Found'),
		'not_found_in_trash' => __('Nothing found in Trash'),
		'parent_item_colon' => ''
	);
 
	$args = array(
		'labels' => $labels,
		'public' => true,
		'publicly_queryable' => true,
		'show_ui' => true,
		'query_var' => true,
		'rewrite' => true,
		'capability_type' => 'company',
		'capabilities'=>array(
								'publish_posts' => 'publish_companies',
								'edit_posts' => 'edit_companies',
								'edit_others_posts' => 'edit_others_companies',
								'delete_posts' => 'delete_companies',
								'delete_others_posts' => 'delete_others_companies',
								'read_private_posts' => 'read_private_companies',
								'edit_post' => 'edit_companies',
								'delete_post' => 'delete_companies',
								'read_post' => 'read_companies'
								),
		'hierarchical' => false,
		'show_in_nav_menus' => true,
		'show_in_menu'=>true,
		'exclude_from_search'=>false,
		'menu_position' => 55,
		'has_archive'=>true,
		'supports' => array('title','author','thumbnail','excerpt', 'comments', 'custom-fields')
	  ); 
 	register_post_type( 'company' , $args);
}

Is there something wrong with this?
Previously, I had the capability type set to posts, but I want to allow certain roles to manage the companies hence needed some custom roles. Please help!

Thanks,
Rutwick

natty May 12, 2011 at 4:04 am | Permalink

you saved my day man. very helpful tutorial. But thinking how to assign capability for taxonomy…

Reply

Mike Blouin May 29, 2011 at 4:01 pm | Permalink

Just curious, wouldn’t a slight change along these lines be preferable?

function map_meta_caps( $caps, $cap, $user_id, $args ){
            /* List the caps we want to work with /*
            $meta_caps = array('edit_movie', 'delete_movie', 'read_movie');
            if (in_array($cap, $meta_caps)) {
		$post = get_post( $args[0] );
		$post_type = get_post_type_object( $post->post_type );

		/* Set an empty array for the caps. */
		$caps = array();
                
                /* If editing, assign the required capability. */
                if ( strpos(strtolower($cap), 'edit_') !== false ) {
                        if ( $user_id == $post->post_author )
                                $caps[] = $post_type->cap->edit_posts;
                        else
                                $caps[] = $post_type->cap->edit_others_posts;
                }

                /* If deleting, assign the required capability. */
                elseif ( strpos(strtolower($cap), 'delete_') !== false ) {
                        if ( $user_id == $post->post_author )
                                $caps[] = $post_type->cap->delete_posts;
                        else
                                $caps[] = $post_type->cap->delete_others_posts;
                }

                /* If reading, assign the required capability. */
                elseif ( strpos(strtolower($cap), 'read_') !== false ) {
                        if ( 'private' != $post->post_status )
                                $caps[] = 'read';
                        elseif ( $user_id == $post->post_author )
                                $caps[] = 'read';
                        else
                                $caps[] = $post_type->cap->read_private_posts;
                }
            }
            
            //Return the capabilities required by the user
            return $caps;
        }

This is nice because then all of those if/then statements aren’t processed if the filter is called on meta caps aside from your own (‘edit_movie’ etc..). (Okay, maybe the speed advantages are pretty small, but I guess all in all it could make a difference at the end of the day on a busy blog.) Also, this could be easily expanded if you had multiple custom types to work with, and they all followed pretty much the same capability types.

But aside from that, thanks alot! I’m finding your site to be a fantastic resource!
Mike

Travis Smith June 8, 2011 at 8:08 pm | Permalink

Justin,

Is there a way to implement capabilities without a role management plugin? Also, If I implement it as a custom capability type, is there some way I can continue to leave the ‘page’ security class as the default?

Thanks,

Reply
1. Justin Tadlock June 8, 2011 at 9:17 pm | Permalink
  
  Yes, you can add caps to roles without a plugin, but that’s an entire tutorial in and of itself. It’s at least much more than I can explain here in the comments. I believe the users, roles, and capabilities chapter in my plugin dev book is 40+ pages, so it’s a pretty in-depth topic.
  
  I’m not sure what you mean by “page security class”.
  
  Reply
David F. Carr June 9, 2011 at 9:45 am | Permalink

Travis was relaying a question I had. He had asked me to modify my Facebook Tab Manager plugin to have its own capability types. Currently, as part of the custom post type registration I use

‘capability_type’ => ‘page’,

to have the type treated the same as a WordPress page for purposes of user access. This has the advantage of fitting in with the default security scheme of WordPress, where for example author class users can create a post but not a page.

I understand that using a custom capability type would provide more possibilities for customization, but I want to make sure that if I do make a change I preserve a default security level that makes sense for existing users of the plugin.

I do have your book, and I’ll try to reread the chapter on capabilities and see if I can figure out a strategy, but thought I should at least try to clarify what my question was.

Reply
Ayoub June 10, 2011 at 6:25 pm | Permalink

I want to thank you for the plugin Members. You’re saving my life

Reply
Vanessa June 21, 2011 at 3:48 pm | Permalink

Thanks for this post. It’s very helpful!

I was wondering though if it is possible to relate Roles to the visibility of a menu item? For example, if I have a role called “Researchers”, and I wanted to show a page on the menu bar only when a Researcher logs in. Is it possible to do this with either the Member’s plugin or by extending the capabilities? And how would I go about it? Thanks!

Reply
Bill June 22, 2011 at 9:03 am | Permalink

Justin, I’ve got your code working … mostly. I would like to make it so that Editors can delete the posts of a certain custom post type, and this is not working. Everything else is, so I wonder if there is a small problem. Do you have any hints?

Reply
Pete August 23, 2011 at 2:14 am | Permalink

If I set up a custom post type, how do I format the data input in its own template? If I have “movies” as a custom post type and a field “year”, how can I display that in my custom post type template?

And one more question: Is it possible to have a custom post type field with the formatting options as in a regular post/page, e.g. bold text, unordered lists etc.?

Reply
Dasha September 14, 2011 at 9:21 am | Permalink

Hello Justin,

Thank you very much for the tutorial and code.
I’ve re-read this post many many types and followed your code, however when I add the map_meta_cap filter my admin users still can’t even see the Custom Post Type menu… and I can’t understand why :S

Is there something you could think of might be wrong?

Many thanks,
Dasha

Reply
Shaun September 14, 2011 at 11:43 pm | Permalink

Hi Justin, great tutorial as always…
Just wanted to know if there is a way to similarly hide the CPT’s UI all together, rather then disable particular capabilities? Disabling capabilities is great, but Id like for my clients to not be able to see anything, ie. the entire UI. Is this possible?

Thanks in advance!
Best,
SB

Reply
1. Dasha September 18, 2011 at 6:24 am | Permalink
  
  Hello Shaun,
  
  I believe you can do it while registering the actual Custom Post Type, using the one of the following arguments: ‘public’ or ‘show_ui’. Have a look for more explanation at the codex http://codex.wordpress.org/Function_Reference/register_post_type
  
  Dasha
  
  Reply
Brian September 23, 2011 at 3:34 pm | Permalink

Quick question,

I have a custom post type and a custom capability_type defined. I have followed your code and have it working basically the way I want. However, I want to prevent a user from editing a published post (like the standard WordPress ‘post’ post type). I’ve done some reading on edit_published_posts but I’m unable to get that to work. Any clues?

Reply
Meta_caps and Post_Types | | IF IT IS CREATIVEIF IT IS CREATIVE October 3, 2011 at 6:04 pm | Permalink
Dasha October 12, 2011 at 7:34 am | Permalink

Hello Justin,

Thank you for the tutorial.
I’m a bit stuck and don’t understand what’s happening. I’ve registered a Custom Post Type as in your code above (copy and paste). So if I understand correctly after I have registered a CPT with capabilities those capabilities should came up unticked in the Memebers plugin, right? But they don’t :S

What am I doing wrong?
I would really appreciate your help as I’ve been stack with it for a while

Many thanks,
Dasha

Reply
1. Dasha October 12, 2011 at 9:07 am | Permalink
  
  Hm, just came across this http://wordpress.org/support/topic/anyone-managed-to-get-custom-post-types-capabilities-working/page/2?replies=47#post-1593534
  
  Maybe it should be added to this current post? It was a bit of a mission to find that post..
  
  Thanks again for the tutorial,
  Dasha
  
  Reply
arru November 15, 2011 at 11:13 am | Permalink

Thank you Justin for a great article!

It’s simple to understand but a lot to know. Just saved my day.

Reply
Erik Teichmann January 4, 2012 at 12:07 pm | Permalink

my brain exploded
then i read this awesome post
now things work, heck yeah.

(that was my haiku for you. cheers!)

Reply
Dave January 26, 2012 at 11:49 am | Permalink

- disclaimer: noob status -

Do the custom capabilities need to be plural with an “s”?

I was hacking around and could not get things to work (I could have triggered something else) and when I changed “edit_thing” to “edit_things” (with an ‘s’) everything started working.

Is this a correct assumtion? If not, feel free to delete this comment

If so, I suggest you edit the bulleted meta capabilities in your post to be plural. Was getting confused with that and the pluralness in your code samples.

Reply
1. Justin Tadlock January 26, 2012 at 1:29 pm | Permalink
  
  What capability names you use is entirely up to you since it’s a custom post type. In general, meta capabilities should not have an “s” at the end. They’re usually referring to a single object. For example, edit_post refers to editing a single post. This is different from edit_posts, which is the capability to create/edit new posts but not publish them.
  
  Reply
  1. Dave January 26, 2012 at 4:48 pm | Permalink
    
    Ok, this is starting to make a little more sense.
    
    Help me clear this up…
    
    I am using the Custom Post Type UI plugin (or can hard code into functions.php), in combination with Members plugin, and Menu Editor plugin.
    
    I have a custom post type of “Foo” (capability_type set to “foo”) and a custom user role “fooSubscriber”. In the Menu Editor plugin I have set required capability to “edit_foos”.
    
    What meta capabilities do I need to have added and turned on in Members plugin for fooSubcriber to only have access to:
    
    1- Create/Publish Foo posts
    2- Edit only their own Foo posts (not others)
    3- Delete only their own Foo posts (not others)
    
    I’m also trying to wrap my mind around map_meta_cap to figure out whether I need to use it or not.
Lollo January 28, 2012 at 11:09 am | Permalink

Hi justin,

first of all thanks a lot for all the time you give to us!

i wasn’t understand why if I declare the capability in my custom post type I can’t see it in my admin! then after a while, my brain is quite slow, i thought that was because i didn’t give to administrator rule that capabilities.

So the question is… I use Members plugin. Do i have to create (with Add New Capabilities) every capabilities I need? is that the right place to do so? How can i delete a capabilities from Members Plugin?

thanks a lot for your patience!

Reply
1. Justin Tadlock January 28, 2012 at 12:15 pm | Permalink
  
  Please use the support forum for the plugin if you have support questions.
  
  Reply
WPSmith | Registering Custom Post Types March 2, 2012 at 11:30 am | Permalink
Ciprian March 6, 2012 at 5:24 pm | Permalink

Hi Justin,

Can you please point me in the right direction with one issue i’m experiencing?

I added a custom capability type, and now i’m trying to add a custom meta box for it. The box is showing along with my fields but the values are not saved into the database.

This is strange as the same thing works for regular custom post types, but not with this one.

I guess it’s something related to add_action('save_post', 'save_custommeta_post').

Thanks a lot,
Ciprian

Reply
Asaf Chertkoff March 24, 2012 at 7:10 am | Permalink

Hi, justin.
thought that maybe you can help with this issue

if you could try to help me, maybe one of your wishes will come true

thanks,
Asaf.

Reply
1. Justin Tadlock March 24, 2012 at 8:17 am | Permalink
  
  I’d have to see the entire code used to create the custom post type. Since you’re using a plugin, that’s not going to work. I’ve never run into that issue before. It definitely doesn’t sound like a meta capability issue.
  
  Reply
Sam April 13, 2012 at 5:57 am | Permalink

Hello,

I’ve created a custom post type (vacancies) and used ‘capabilities’ to specify the plural and singular capability names, and I have then set map_meta_cap to true and once the roles are added it all works.

The first time I read this article was a while back now, the question I have is do we still need to filter the map_meta_cap? or was this written before it worked in WordPress?

If we don’t any more then what else could we use this code for? cross post type capabilities???

Many Thanks for the article; it really helped me understand what was going on!

Reply
Ryan April 18, 2012 at 4:36 pm | Permalink

Hi Justin.

First off thanks so much for all the useful tips found scattered around the net that have assisted me greatly and led me here a while back.

I have read your blog tuts on meta-capabilities-for-custom-post-types, a-wordpress-forum-plugin-using-custom-post-types, linking-terms-to-a-specific-post and others.

I am in the planning stages of developing a CMS. I will create CPTs of ‘events’, ‘products’, and ‘support’, and taxonomies of ‘topic’, ‘product type’, ‘event format’ and two others.

The real issue I need to get my head around is to be able to deliver those different types of content according to which member is logged in – only on the front-end. In other words, there will be content available to everyone (public), and then content only available to Joe Soap, who wont be able to view the content allocated to Jane Doe, but the content could be any of the above type or in any of those taxs.

None of the ‘members’ need access to admin, while use of custom roles may help. What I’d love to be able to achieve is create a taxonomy “accounts” and do something like ‘if_user_can_[account_term]‘, show content. I don’t know what combination of CPTs (?nested), custom roles & custom tax to employ.

I know there must be a logical way of achieving this but I keep going round in circles… Any advice?

Thanks

Reply
BASTA! April 22, 2012 at 11:34 am | Permalink

To assign specific capabilities to roles, you’re going to need a role management plugin.

Awwwww it was so close! If only your solution didn’t depend on other plugins…

Reply
1. Justin Tadlock April 24, 2012 at 12:11 pm | Permalink
  
  Well, you could code capabilities yourself. You’d just have to create a custom plugin to do it rather than using another developer’s plugin.
  
  Reply
2. Leo Germani June 15, 2012 at 9:12 pm | Permalink
```
$role = get_role('editor');
$role->add_cap('aby_cap_you_like');
```
  You only need to run this code once. So the register_activation_hook is a good place for it
  
  Leo,,
  Reply
Lars June 6, 2012 at 6:13 am | Permalink

Thanks, this works very good. I did pull out some hair when i disabled the capability for admins to edit posts. They didnt need so i thought, why not disable it. But then I couldn’t save my wp_nav_menu’s anymore

Anyhow, with debugging enabled on wordpress 3.3.2 i get the following notice on various places in the admin: Notice: Undefined property: stdClass::$delete_posts in \theme\functions\types\news.php on line 27

Reply
Leo Germani June 15, 2012 at 9:14 pm | Permalink
Hi Justin,

Just want to make sure of something.

Do you really need to pass the “capabilities” option when registering the post type? I believe the capability_type is enough, isnt it? and WordPress will create all capabilities for you using capability_type as the prefix.

According to the docs you can even pass a plural form:
```
'capability_type' => array('movie', 'movies')
```
Leo,,
Reply
1. Justin Tadlock June 16, 2012 at 12:08 am | Permalink
  
  Assuming you just want the standard capabilities like posts and pages, setting capability_type only will be fine. I don’t think I’ve ever done that though. Most custom post types require something a bit more custom.
  
  Reply
Adeel June 20, 2012 at 10:07 am | Permalink

hey Justin Tadlock, i m sorry i subjected the wrong person before….i really liked your tutorial for custom fields, i have a question is this possible we can run query on publish or update the custom post page??? like i have made music and when i m adding music posts on publish all fields go into different custom db table…i m not good in db and php but it make sense to me we might have something to make it possible…..can you please help me in this???

Reply

Marlon June 22, 2012 at 3:53 pm | Permalink

I create a custom post type

$labels_resposta = array(
    'name' => _x('Respuestas', 'post type general name'),
    'singular_name' => _x('Respuesta', 'post type singular name'),
    'add_new' => _x('Añadir nueva', 'Respuesta'),
    'add_new_item' => __('Añadir nueva Respuesta'),
    'edit_item' => __('Editar Respuesta'),
    'new_item' => __('Nueva Respuesta'),
    'all_items' => __('Todas Respuestas'),
    'view_item' => __('Ver Respuesta'),
    'search_items' => __('Buscar Respuesta'),
    'not_found' =>  __('No encontró ningún Respuesta'),
    'not_found_in_trash' => __('Ninguna Respuesta encontrada en la basura'), 
    'parent_item_colon' => '',
    'menu_name' => 'Respuestas'

  );
  $args_resposta = array(
    'labels' => $labels_resposta,
    'public' => true,
	'exclude_from_search' => true,
	'publicly_queryable' => false,
    'show_ui' => true,
	'menu_position' => 5,
    'rewrite' => array('slug' => 'respuesta'),
    'hierarchical' => false,
    'supports' => array( 'title', 'editor', 'author', 'excerpt', 'comments', 'custom-fields' ),
	'capability_type' => 'resposta',
	'capabilities' => array(
		'publish_posts' => 'publish_respostas',
		'edit_posts' => 'edit_respostas',
		'edit_published_posts' => 'edit_published_respostas',
		'delete_published_posts' => 'delete_published_respostas',
		'edit_others_posts' => 'edit_others_respostas',
		'delete_posts' => 'delete_respostas',
		'delete_others_posts' => 'delete_others_respostas',
		'read_private_posts' => 'read_private_respostas',
		'edit_post' => 'edit_resposta',
		'delete_post' => 'delete_resposta',
		'read_post' => 'read_resposta',
	)
  ); 
  register_post_type('resposta',$args_resposta);

but when I declare parameters `capabilities` and `capability_type` the custom post type isn’t created.

What is wrong?

Thanks all!

Wayne Aretz December 4, 2012 at 5:52 pm | Permalink

Thanks for the tutorial. I like others couldn’t see my custom post type in the Admin menu unless I included the Map Meta Cap code you outlined above. However, I am not seeing my Role Capabilities that I defined in the array when I attempt to define a new Role. Any help would be great.

Thank you.

Reply
Grant December 18, 2012 at 9:02 am | Permalink

Justin,
thanks for the tips. The issue I am running in to is…
I have a site with a blog and portfolio. The portfolio is set up as a custom post type ‘portfolio’ . I want to allow users to post to the blog but not the portfolio.
When I give them permission to edit_posts , this also gives them the permission to edit the portfolio because it is a post, although it is a CPT. how can I allow posts but limit CPTs?

Reply
1. Justin Tadlock December 18, 2012 at 4:18 pm | Permalink
  
  That’s what this entire tutorial is about. Is there something you didn’t understand?
  
  Reply
Casey Wise December 22, 2012 at 1:40 pm | Permalink

Justin, you get a gold star today. I just leveled up in WP. CPTs + custom roles/capabilities was my boss battle which you helped with immensely. I only died 3 times!

Thanks again dude, have a fine holiday season!

Reply
Genevieve January 22, 2013 at 11:34 am | Permalink

Hi, Justin–thanks so much for this immensely helpful post! I’ve just run into one little snag that I can’t figure out. I’ve got a custom post type, and a custom user roll set up to access ONLY that post type. I used your instructions in this post give that roll access to the custom post type, and while they are able to create/edit/delete their custom posts as I intended, they can’t assign categories to their post. It seems category assignation is connected to the edit_post permission, and when I assign that to the custom user roll, they can select categories, but then they also have access to other post types, which I don’t want. I used custom taxonomies to create separate category groups for the custom post type. Is there a way to give my custom user roll the ability to assign categories just to their custom post type?

Reply
brent January 24, 2013 at 7:00 pm | Permalink

Any idea why other plugins like “google maps store locator” doesn’t appear as a role in the edit role screen? Is it because members plugin cannot map this plugin. I was hoping to create a specific role for users to be able to edit/post/delete in managing the store locator plugin. Thanks!

Reply
Josh February 21, 2013 at 5:27 pm | Permalink

Hello Justin, Great write up! This is exactly what I was looking for. I have implemented in one of my sites and I had a question. You mention it up above but not in your code segment, but if I wanted users to be able to movie post, would I need to add a condition for ” if ( ‘publish_movie’ == $cap ) “? In the example I have worked up, users can read and edit my cpt, but when they try to create/publish a new cpt WP just creates a draft and not a published post.

Thanks in advance for the insight.

Reply
Seath March 19, 2013 at 3:18 pm | Permalink

Thank YOU Justin!!
Your post just save me time trying figuring this on my own. With small changes I was able to do what I was going for. So again Thank you.

Reply
Juan B April 1, 2013 at 2:18 pm | Permalink

Thanks Justin! This works like a charm. I have a question I’ve been trying to wrap my head around, which I hope you can help with…

Primarily I would want the behavior that if an author edits a post, although it’s published, the changes get set to pending and the post does not automatically get posted? Is there something I’m missing the my_meta_cap function?

Thanks.

Reply
1. Juan B April 3, 2013 at 11:04 am | Permalink
  
  Nevermind, realized I had not mapped capabilities. Once i set those up, everything works like a charm.
  
  Reply
Aryan April 10, 2013 at 7:30 am | Permalink

Hello everyone!
Capabilities Not working with Custom Post type In 3.5.1.

Any Idea why?

Thanks

Reply
カスタム投稿タイプにオリジナルの権限を設定する方法まとめ | モンキーレンチ May 14, 2013 at 11:26 pm | Permalink

Justin Tadlock

Life, Blogging, and WordPress