How to Limit Access to WordPress Pages by Specific User

I am working on a WordPress plugin that stores login information for websites and online services. I could use LastPass or 1Password for this, but:

  1. I don’t like the idea of shelling out extra money any time a member of my team needs access to a password.
  2. I like to control my own data.
  3. It is more fun to do it in WordPress.

I should note that I do use 1Password on my local machine to help me remember all of my logins. It is great for that.

Goal

My goal was to allow the admins the ability to grant specific users “view” privileges on a page-by-page basis

How I Did It

I considered a number of options when I got started:

I ended up going with Advanced Custom Fields’ “User” field. I would have rather gone with the Members plugin, but I was having problems getting it to respect my custom filters on the_content. Wishlist Member (and similar) are simply too bloated for my taste.

It took me a while to figure out how to grab the user data out of the ACF “User” field. That plugin is awesome, but sometimes documentation is lacking… Thankfully, support for the plugin is out of this world!

See my final code solution below:


function does_user_have_access($content) {
	
	// Grab the current user's info so that we can compare it to the "allowed" users from the ACF "User" field later.
	$current_user = wp_get_current_user();
	
	// Store the ACF "User" info
	$values = get_field('user_info');
	
	if($values) { 
		// Create an array of users that will be able to access the page from the ACF "User" field
		$users_that_can_access_this_post = array();
		foreach($values as $value) {
			$user_IDs_that_can_access_this_post[] = $value['ID'];
		} 
		// Check to see if the current user is in the "User" field's array
		if (in_array($current_user--->ID, $user_IDs_that_can_access_this_post, false) || current_user_can( 'manage_options' )) {
			// Display the post
			display_all_acf_fields();
		} else {
			// Hide the post content if the user is not in the ACF "User" array
			echo 'You do not have access to this post.  Please let Toby know if you do, indeed, need access.' . edit_post_link('Edit', '', ' ');
		}
	} else {
		// Display something if a post has no users set
		echo 'Please set the user restriction on this post.' . edit_post_link('Edit', '', ' ');
		die();	
	}
	
	return $content;
	
}

Pretty nifty, eh?

Got any thoughts or ideas on how I can improve the above code? I would love to hear them! Please post a comment below if you have an idea.

Thanks!

The Mighty Mo! Design Co.

RSS From Toby’s Blog

  • The Horrors of Covering Your Own Ass
    Today I emailed a very simple question to support@[companyname].com (2 sentences total). The automated response I got back was this: Keep in mind that the above was an auto-response and: It’s hard to read. Everything has the same import (e.g. none of it is important enough to call out separately). It’s long. It added absolutely-zero…
  • If something stupid makes money, then it’s not stupid.
    I’ve seen some stupid things in my life…And some of them were really really smart. I remember a story from decades ago where the U.S. military was looking to equip the Stealth Bomber with a fancy computer-driven video system so the pilots could see behind them. Well, the computers failed to get the job done,…
  • There is no destination.
    Coding is a process of failure followed by a moment of great joy. You've gotta ride through the failures to experience the joy...

More posts from themightymo.com

How to deactivate all WordPress plugins via the database

By The Mighty Mo! Design Co. | January 20, 2022

Go to phpMyAdmin. Go to the “wp_options” table. Search for the field named, “active_plugins”. Edit the “active_plugins” field. Delete the value/contents of the “active_plugins” row. Save. That’s it! All your plugins are now deactivated!

Website DNS, Domain Registration, & Hosting Basics

By Toby Cryns | November 30, 2021

Websites have multiple layers: Domain Registration When you register a domain, you pay someone ~$20/year for a .com domain. Registration means you are leasing the domain for a year or more. A domain is the “yoursite.com” or “yoururl.net” or “yourorganization.org” that people type into their browser. We use services like Namecheap, Dreamhost, and GoDaddy for…

Avada ThemeFusion loads 80+ javascript files on every page! DON’T RECOMMEND!

By The Mighty Mo! Design Co. | November 18, 2021

I inherited a WordPress site using Avada ThemeFusion, and it is experiencing really bad performance issues. After doing lots of my standard bag-of-tricks optimizations to little effect, I decided to simply count the javascript files. To my surprise horror, I found it was loading over 80 javascript files on every single page! (For comparison: themightymo.com…

RSS From Toby’s Blog

  • The Horrors of Covering Your Own Ass
    Today I emailed a very simple question to support@[companyname].com (2 sentences total). The automated response I got back was this: Keep in mind that the above was an auto-response and: It’s hard to read. Everything has the same import (e.g. none of it is important enough to call out separately). It’s long. It added absolutely-zero…
  • If something stupid makes money, then it’s not stupid.
    I’ve seen some stupid things in my life…And some of them were really really smart. I remember a story from decades ago where the U.S. military was looking to equip the Stealth Bomber with a fancy computer-driven video system so the pilots could see behind them. Well, the computers failed to get the job done,…
  • There is no destination.
    Coding is a process of failure followed by a moment of great joy. You've gotta ride through the failures to experience the joy...