Support » Plugin: WP User Groups » How to hide user-groups from subscribers?

  • Resolved Manuel

    (@targz-1)


    @johnjamesjacoby, sorry for spamming your support threads, but it’s my way of documenting my progress with this plugin…

    Here’s another possible improvement:

    Users with a subscriber role have little things to do in the WordPress backend, but it’s the only place where they can update their email address when needed… so it’s necessary to give them access to the /wp-admin/profile.php page.

    However, even users with subscriber role will be able to see and change their user-groups relationships, which is not necessarily desirable.

    The question is: how can we hide the user-groups from a subscriber?

    https://wordpress.org/plugins/wp-user-groups/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Looking a the source code, I see two possible strategies:

    1) Change the capabilities of either the Subscriber role or the Groups taxonomy, so that the Subscriber doesn’t have the capability of assigning taxonomy terms to himself.

    Here’s a relevant piece of code:
    https://github.com/stuttter/wp-user-groups/blob/5c694600bc5984d279164b33bf386a9501e55bdb/includes/class-user-taxonomy.php#L268

    if ( ! current_user_can( 'edit_user', $user_id ) || ! current_user_can( $tax->cap->assign_terms ) ) {
      return;
     }

    Interestingly, the Roles_and_Capabilities Codex page doesn’t mention edit_user, but only edit_users.

    Update: according to wp-includes/capabilities.php#L39, edit_user is the capability that allows a user to edit itself – which explains why subscribers have access to it.

    2) Remove the action that adds the Groups UI to the profile page. I see some potential actions here:

    https://github.com/stuttter/wp-user-groups/blob/5c694600bc5984d279164b33bf386a9501e55bdb/includes/class-user-taxonomy.php#L132

    add_action( 'show_user_profile', array( $this, 'edit_user_relationships' ), 99 );
    add_action( 'edit_user_profile', array( $this, 'edit_user_relationships' ), 99 );

    A difficulty here is that the $function_to_add argument is not a name, but an array… Here’s how the Codex defines the arguments of add_action:

    add_action( $hook, $function_to_add, $priority, $accepted_args );

    Update: it looks like the capabilities for the user group taxonomies are assigned like this:

    'capabilities' => array(
      'manage_terms' => 'list_users',
      'edit_terms'   => 'list_users',
      'delete_terms' => 'list_users',
      'assign_terms' => 'read',
    ),

    What this means: the ‘manage_terms’, ‘edit_terms’ and ‘delete_terms’ actions require Administrator powers, while ‘assign_terms’ is given the ‘read’ level … which makes it available for Subscribers.

    Update: working solution found:

    function myprefix_limit_group_access() {
    	global $wp_taxonomies;
    	$wp_taxonomies['user-group']->cap->assign_terms = 'list_users';
    }
    add_action('init','myprefix_limit_group_access', 11);

    Not sure if it’s the official way, but it works!

    @targz-1

    I tested your snippet and get this php error:

    [25-Nov-2016 10:15:05 UTC] PHP Warning:  Creating default object from empty value in wp-content/plugins/code-snippets/php/snippet-ops.php(384) : eval()'d code on line 4
    

    Something is wrong in your code on line 4

    Similar issue here where the plugin author says it’s an error in the snippet
    https://wordpress.org/support/topic/php-parse-error-syntax-error-unexpected-4/

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How to hide user-groups from subscribers?’ is closed to new replies.