disable user profile editable fields per role?

  • Resolved IT Hertz

    (@it-hertz)


    1 year, 9 months ago

    I need to disable/remove certain fields on the user profile page when a subadmin goes to edit a given user.

    I’ve disabled the Application Passwords section via wp_is_application_passwords_available_for_user hook, but I can’t find hooks for the other components.

    I would like to similarly remove/disable Account Management. I want users to be able to change their own passwords, but not allow subadmins to change other user passwords.

    I’ve disabled Role assignment and color schemes via plugins, which use WP hooks that I found, but that’s about as far as they go.

    I’m using Ultimate Member for handling most of the user role/status ops. UM and various other role capability plugins allow user editing, but it’s an all or nothing setting. The plugins I’ve tried don’t provide for specificity in which fields are editable.

    For now, all I want subadmins to be able to change are the emails and maybe nicknames of users with certain roles.

    Are there WP hooks for these other fields that I’m overlooking that someone can point me to?
    If not, is there a php way I can unset the desired fields on/after page load, or do I have to use something like a child rename/parent element destruction JS trick?
    I generally avoid hiding elements via CSS wherever possible, but if that’s the only way to get this done…

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator bcworkz

    (@bcworkz)

    1 year, 9 months ago

    You could conditionally enqueue a script that disables certain form fields based on current user capabilities. Of course if someone disables scripting on their browser, they’d gain access to the fields, but it’d deter most people. That or hiding with CSS is as good as it’ll get because it’s very difficult to suppress field output from PHP.

    Fortunately, there are a number of filters you can use server side to enforce the ability to change, so it wouldn’t help someone in the end to get around client side restrictions. For example, you can conditionally restore certain submitted fields to their original values prior to updating via “wp_pre_insert_user_data” and “update_user_metadata”.

    Thread Starter IT Hertz

    (@it-hertz)

    1 year, 8 months ago

    Hi,

    Since I was already using Adminimize to hide some left side menu items, I added custom fields in Adminimize to hide them on the pages in question.
    Unfortunately, it’s a global hide, so a subadmin can’t change their own password when I hide that field for the other user profile pages.

    I saw this CSS trick for role-based CSS. Maybe I can modify it a bit for my needs.

    We need more hooks for these other fields.
    I don’t see an “issues” section in the WP github, so I’ll just leave this here as a feature request for these additional hooks.

    Moderator bcworkz

    (@bcworkz)

    1 year, 8 months ago

    Github issues are only raised for the Gutenberg project. Feature requests and enhancements in core PHP are managed through our Trac system. If you want to post a Trac ticket, please do some searching in existing tickets first to ensure a similar ticket has not already been posted.

    Michael’s suggested code that you linked appears to be for front end pages. While some of his suggested code would not apply to admin pages, the concept in general is sound. You can filter admin body classes with ‘admin_body_class’. Additional CSS is for front end pages only. You can instead enqueue your own admin CSS at the “admin_enqueue_scripts” action.

    When a user is editing their own profile, the constant IS_PROFILE_PAGE is defined as true. You’d only hide the password field for sub-admins if that is not set, i.e. when they are editing another user’s data. Editing another user’s data isn’t considered to be editing a “profile” per se. Only your own user data is considered to be a profile. Somewhat tortured semantics there, but it is what it is.

    Thread Starter IT Hertz

    (@it-hertz)

    1 year, 8 months ago

    Hello,

    Just thought I’d post an update for those who may wish to do something similar.

    I hid the various elements from subadmins using a mixture of Adminimize custom options and this:

    add_filter( 'admin_body_class', 'hide_from_subadmins' );
function hide_from_subadmins( $classes ) {
   if(current_user_can('subadmin') ) {
      $classes = 'user-role-subadmin';
   }
   return $classes;
}

    For elements that don’t have an ID, class or name, or that have attributes in common with other elements that I want to remain visible, I based it on tag position/count. Here’s a CSS example which hides the Website and Send User Notification rows from the Add New User page:

    .user-role-subadmin .form-table tr:nth-child(1n+5) {
   display: none !important;
}

    Adminimize isn’t necessary, of course. I just had a bunch of custom options in it already and haven’t put them in the separate CSS yet.

    If you have multiple form-tables and use the above, it will hide such rows from all tables. It is easily modified to hide per page. There’s plenty of material on the web showing how to do it. There are even plugins for doing it. It just so happens that my subadmin control is minimal/simple enough that I can get away with using such globals.

    As for password editing, I decided to hide that section in its entirety from the subadmin role and just use the Ultimate Member front end Change Password form for everyone, which allows only the current user to change their own password.

    I also used admin_enqueue_scripts to load a custom CSS page for the rest of the admin UI styling.

    • This reply was modified 1 year, 8 months ago by IT Hertz.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘disable user profile editable fields per role?’ is closed to new replies.