Create a Simple CRM in WordPress: Restricting / Hiding Unused Admin Menu Items

We’ve been looking at how to create a simple CRM system in WordPress. In the last part of this series, we added code to our plugin which allowed us to search our contacts based on the data stored in Advanced Custom Fields.

Today we’ll cover how to restrict access to WordPress Administration Menu items.

Roles and Capabilities

WordPress uses the concept of Roles, where a Role can be assigned to a WordPress User. This Role defines what the User can and cannot do.

By default, WordPress has six roles:

• Super Admin
• Administrator
• Editor
• Author
• Contributor
• Subscriber

The permissions that a Role has are referred to as Capabilities, and WordPress provides lots of different capabilities (for example,install_plugins, update_themes, edit_pages,etc). If you’re interested in seeing the full list of Capabilities based on Role, seethis WordPress Codex Page.

When we registered our Contacts Custom Post Type in Part 1 of this series, we defined thecapability_typeto bepost. This means that the read, edit and delete capabilities for Contacts are the same as used for Posts. Depending on the User’s Role, this gives the User the following access to our Contacts Custom Post Type:

Editors and Authors

Based on the above capabilities, if we want Users to be able to add, edit and delete all Contacts (including Contacts created by other Users), we’d need to use the Editor role. Let’s go ahead and create a new WordPress User with that role:

1. Navigate to Users > Add New in the WordPress Administration Menu.
2. Complete the username, email and password fields.
3. Set the Role of the User to Editor.
4. Click Add New User.

Now let’s log out of WordPress and log in as our new Editor. You’ll see that the WordPress Administration Menu has fewer options, and includes our Contacts Custom Post Type:

However, you may only want Users to be able to view other Users' Contacts without having the ability to edit or delete them. We can achieve this by using the Author role, as this role does not have edit_others_posts or delete_others_posts Capabilities (refer to the table above).

Create your WordPress User in the same way as we did for an Editor, this time choosing the Author role instead.

Logging in as an Author will again show fewer WordPress Administration Menu options:

When we view our Contacts, you’ll see all other Contacts created by other WordPress Users—however, we’re not able to edit or delete them:

Go ahead and add a new Contact. Once done, click onAll Contactsin the WordPress Administration Menu. Instead of seeing all Contacts created by other WordPress Users, you’ll now see Contacts that you have created, which you’re able to edit and delete:

We can still view other Users' Contacts by clicking theAlloption above the WordPress Table:

Up Next…

In the next article, we’re going to further restrict WordPress Administration functionality to selected Users, allowing them to only access the Contacts CRM.