Support » Developing with WordPress » Disable items from ‘More tools & options’ in blocks for non admin users

  • I would like to hide/disable items from “More tools & options” for non admin users. There are a lot of settings that I don’t want to grant access to non-admin users

    I found something like PluginSidebarMoreMenuItem in the Block Editor Handbook, but there is no way to disable the defaults items

    ( Of course the display:none via css this is not a solution )

    Is there any filter or something?

    I mean this area:
    Screenshot example

    • This topic was modified 1 month, 2 weeks ago by Kris Kelvin.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator bcworkz

    (@bcworkz)

    What’s wrong with display: none;? Because it should only apply to non-admin? You merely need to conditionally output the rule based on user capability. Hook “admin_print_styles” and if the current user does not have an admin capability like “manage_options”, then output this:

    <style>
    .components-dropdown.components-dropdown-menu.edit-post-more-menu {
        display: none;
    }
    </style>

    This just hides the 3 dot icon. It doesn’t disable anything. A knowledgeable user could still invoke menu items, but for the average user, just hiding the icon will be enough of a deterrent.

    Thank you for your reply.

    My concerns:

    1. There is a concern that other core modules will come that will be of the same class. Unfortunately, you are not setting an ID for key basic elements (i don’t know why by the way)

    2. Like you said “A knowledgeable user could still invoke menu items”

    display:none; is a bit unprofessional in my opinion. It’s something like locking the door of your home, but without using a key – locked at first glance, but anyone can enter anyway.

    • This reply was modified 1 month, 2 weeks ago by Kris Kelvin.
    Moderator bcworkz

    (@bcworkz)

    As most of the functionality is for UI elements, there’s not really much security in client side functionality in any case. For the few server side operations, you’d need to lock down those requests independently anyway.

    I agree. “bit unprofessional” is putting it mildly. You could dig into the source code and attempt to prevent the menu and its icon from being output to start with, but there are rarely any useful filters for such control in the admin area. So the remaining solution is to remove offending elements via JavaScript. As JS runs client side, it’s hardly much better than just hiding with CSS if security is your concern.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.