Access allows you to control what different users can do in the WordPress admin and what they can read in the front-end. You can set access rules for user types and for specific users.
Go to Toolset -> Access Control and you will see a list of everything that Access can manage. It will always include posts, pages, tags, and categories. When your site uses custom post types and taxonomy, they will appear as well.
Access also manages user access to post field groups, CRED forms, WPML and WooCommerce.
Access controls for posts, pages, and custom post types look like this:
To allow Access to manage that content type, click on the Managed by Access check-box at the top of each section and then on the Save button for that post type.
Note that custom post type sections feature two additional options for managing their access control, as displayed in the following image.
The additional options are the following;
- You can set the custom post type to use the same read permission as regular Posts.
- You can use the default WordPress read permissions for the custom post type.
After selecting how the post type is managed, you can select the check-boxes to choose what operations different users can do. The one selected by default are the standard WordPress permissions.
The privileges that you can select are:
- Read – read the content on front-pages
- Edit own – create new content and edit content that each user has created
- Delete own – delete the content that each user has created
- Edit any – edit content created by other users
- Delete any – delete content created by other users
- Publish – public content
- Preview any – preview the content before it’s published
To grant privileges to specific users, click on the user icon and start typing the username in the dialog’s text field. Access will auto-complete and let you select users.
The Access plugin allows you to control which comments user roles are able to moderate. The workflow is a bit different for standard Posts and custom post types.
To control permissions for moderating comments, you need to make sure to select that Posts are managed by Access.
For a user role to be able to edit its own comments it needs to have the Publish and Edit own capabilities for Posts.
For a user role to be able to edit all comments it needs to have the Publish and Edit any capabilities for Posts.
To control permissions for moderating comments, you need to make sure to select that your custom post type and the standard Post and Pages are all managed by Access.
For a user role to be able to edit its own comments it needs to have the Publish and Edit own capabilities for that custom post type and the standard Posts.
For a user role to be able to edit all comments it needs to have the Publish and Edit any capabilities for that custom post type and the standard Posts.
The “Read” privilege is special. When you disallow reading, you can choose what will display instead of the content.
For any post type controlled by Access, you can select a default content to show when read access is denied.
You can also specify what to display when read access is denied for a specific user role. The icon to edit these options appears when you deselect the read permission for a given role.
When selecting what to display when a user has no read access, you can choose from the following options.
- Default error, the one selected for all user roles.
- A 404 page, indicating that this content does not exist.
- The current page, displayed using a specified template layout, or a Content Template (only if you are not using Layouts).
For custom post types, which does not include Posts, Pages, and Media, you can also select what to display on the archive page for user roles without the read permissions.
You can choose from the following options for archive pages:
- Display the “No posts found” message.
- Choose a different PHP template to render the contents. This option is available if Views and Layouts plugins are not active.
- Choose a layout for displaying the error. This option is only available if the Layouts plugin is active. You also need to have at least one Template Layout created.
- Choose a WordPress Archive to display the error. This option is only available if the Views plugin is active and the Layouts plugin is not. You also need to have at least one WordPress Archive created with Views.
In the dialog box for selecting what users without permission see, there is a Preview error for POST_TYPE link. POST_TYPE is the name of the respective post type you are editing.
Clicking it displays a page belonging to the Post type, and automatically “simulates” the selected user role and a post belonging to the related post type.
Please note that the preview only works for administrators. Additionally, the related post type needs to have at least one existing post.
Access control for taxonomy, including tags, categories and all custom taxonomy, looks like this:
Similarly to post types, to enable access management for taxonomy, you must click on the Managed by Access checkbox.
Taxonomy access management includes another option, called “Same as Category”. When selected, the access rules are set according to the settings for WordPress built-in Categories. For example, it will mean that the taxonomy is available when categories are.
Please note that this option is only available if the taxonomy belongs to a single post type, or all post types that have this taxonomy have the same access rules.
The privileges that you can select for taxonomy are:
- Manage terms – access the taxonomy terms list
- Edit terms – edit any term
- Delete terms – delete terms
- Assign terms – assign terms to their respective post types
You can also grant taxonomy access privileges to specific users, by clicking the user icon and entering their names in the search text field.
The Access plugin features a new logic for controlling the WordPress feeds’ visibility on the front-end. The permissions you assign to the specific user role for a specific contents (post types) are also used to control the visibility of those contents in the feeds on the front-end.
For example, if you restrict users with the role guest (i.e. the ones not logged in), not only will they be restricted from viewing certain contents on the front-end but those contents also will not appear for them in the feeds.