Description
Rootstuff Block Permissions is a lightweight, agency-focused plugin that lets you decide which Gutenberg blocks and patterns each user role can see, on each post type. Tick what you want hidden, save, and your clients only see the blocks they actually need.
Unlike generic block managers, every rule is scoped by role and post type, so editors can have a different toolkit on Pages than on Posts, contributors can be locked down further, and administrators can be exempt entirely (or included for previewing the client experience).
What it does
- Hide any registered block from the inserter — core, theme, plugin, ACF blocks, anything.
- Hide block patterns the same way.
- Optional per-role overrides (Editor, Author, Contributor, custom roles).
- Optional per-post-type overrides (Posts, Pages, custom post types).
- Combine both: e.g. “Editor on Page only” gets a different set than “Editor on Post”.
- Disable the WordPress.org remote pattern directory.
- Disable WordPress core patterns entirely.
Why a separate plugin
Most block-management plugins are global — they hide a block for everyone, everywhere. That breaks down the moment you have multiple client roles or different post types with different needs. Rootstuff Block Permissions lets you say “hide the Cover block for Authors on Pages, but keep it for Editors on Posts” without writing any code.
Mental model
The plugin is a denylist. An empty list means nothing is blocked. You tick what you want to hide. New blocks added to the site later are automatically allowed unless you come back and tick them.
A default rule applies to everyone unless you create an override. Overrides are matched most-specific-first:
- Exact role and exact post type
- That role on any post type
- Any role on that post type
- The default rule
- None of the above — no restrictions
Multi-role users get the least restrictive of their roles’ resolved rules: a block is hidden only if every one of their roles’ rules hides it.
Administrators
By default, administrators bypass all restrictions. There’s an “Apply to administrators” toggle so you can preview the client experience without switching accounts.
Privacy
The plugin stores its configuration in a single WordPress option (rootstuff_bp_settings). It does not connect to any external service, send analytics, or store data about your users.
Development
Source code is available on GitHub: https://github.com/rootstuff/rootstuff-block-permissions
The build/admin.js file is generated from the src/ directory using @wordpress/scripts. To rebuild from source:
- Clone the repository.
- Run
npm install. - Run
npm run build.
Screenshots
Main settings screen — default rule with the block list grouped by category. 
Override editor showing role and post-type selectors plus the active rule status. 
Pattern tab with the same allowlist UI applied to registered patterns. 
Site-wide toggles for administrators and the WordPress core / remote pattern sources.
Installation
- From your WordPress admin, go to Plugins > Add New.
- Search for Rootstuff Block Permissions.
- Click Install Now, then Activate.
- Go to Settings > Rootstuff Block Permissions to configure.
Or upload manually:
- Download the ZIP.
- Upload the
rootstuff-block-permissionsfolder to/wp-content/plugins/. - Activate Rootstuff Block Permissions through the Plugins menu in WordPress.
- Go to Settings > Rootstuff Block Permissions to configure.
Activating without ticking anything has zero effect on the editor — the plugin only enforces a rule once you actually tick at least one block or pattern.
FAQ
-
Does this work with custom blocks (ACF, theme blocks, plugin blocks)?
-
Yes. Anything registered through
register_block_type()shows up in the settings page automatically. ACF blocks register onacf/init, which runs before our settings page renders, so they’re picked up too. -
Does it affect what users see on the front end?
-
No. This plugin filters the block editor’s inserter for non-admin users. Existing content is never modified. Pages built before you add a rule keep working exactly as they did.
-
Will it slow down my editor?
-
No. The plugin reads a single option, computes a denylist for the current user, and hands the filtered list to WordPress. There’s no database query per block, no remote calls, and no bundled libraries beyond what WordPress already loads.
-
How does this differ from other block manager plugins?
-
Most block managers are global — one allowlist for everyone. Rootstuff Block Permissions scopes every rule by user role and post type, so you can give different toolkits to different roles on different content types. That’s the use case agencies actually face when handing sites off to clients.
-
Can I lock down administrators too?
-
Yes. There’s an “Apply to administrators” toggle on the settings page. Useful for previewing the client experience without logging in as a different user.
-
Does it work with multisite?
-
The plugin runs per-site. Settings are stored per-site. Network-level configuration is not currently supported.
-
What happens if I deactivate or delete the plugin?
-
Deactivating leaves the settings in the database (so reactivating restores your rules). Deleting via the WordPress Plugins screen removes the option entirely.
-
Does it support block variations or block toolbar controls?
-
Not in this version. The plugin filters at the block-and-pattern level. Hiding individual block variations and stripping toolbar controls per role are on the roadmap.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Rootstuff Block Permissions” is open source software. The following people have contributed to this plugin.
Contributors
Translate “Rootstuff Block Permissions” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
0.1.0
- Initial release.