Term
Syntax
Term:<taxonomy-slug>:<term-ID|term-slug>
Term:<taxonomy-slug>:<term-ID|term-slug>:posts
Definition
Redefine how other users can access any term or posts associated with it (either tagged or assigned to it). The term is a general definition for a category, tag, or any term that belongs to a custom taxonomy.
Each term identifies by three attributes:
- taxonomy. For example,
category
orpage_category
. - numeric ID (e. g. 34, 14, 78).
- slug. For example,
uncategorized
,science
, etc.
When defining the Term
resource, you should provide taxonomy, and either term ID or slug. For example if you need to restrict ability to assign any posts to the "Houses" category (slug houses
and ID 4
) you can define following statement if you use slug:
{
"Statement": [
{
"Effect": "deny",
"Resource": "Term:category:houses",
"Action": "Assign"
}
]
}
of if you choose to use ID:
{
"Statement": [
{
"Effect": "deny",
"Resource": "Term:category:4",
"Action": "Assign"
}
]
}
The Term
resource supports several actions that allow defining more granular access to what users can/cannot do with a term. This way, you can ensure that the term of the specific taxonomy is protected, disregarding the post type it belong to (in WordPress core, when registering taxonomy, there is a way to specify a list of associated post types).
Browse Action
Manage the ability to browse a term directly. In other words - see the list of posts that belong to the term. This is typically used to organize content on the frontend where a user can navigate to a link like /category/science
and see the list of all pages that are tagged with the "Science" category.
The following statements deny access to browse all categories except one with the "free-courses" slug.
{
"Statement": [
{
"Effect": "deny",
"Resource": "Taxonomy:category:terms",
"Action": [
"Browse"
]
},
{
"Effect": "allow",
"Resource": "Term:category:free-courses",
"Action": [
"Browse"
]
}
]
}
By using the Taxonomy:category:terms
resource, we explicitly targeting all categories and deny the ability to browse them. Then we override access only to the term with slug free-courses
.
List Action
Manage term’s visibility. In other words - hide the term however, allow direct access with URL. In the example statement below, we hide the "private" order category if the request is a RESTful API.
{
"Statement": [
{
"Effect": "deny",
"Resource": "Term:order_category:private",
"Action": [
"List"
],
"Condition": {
"Equals": {
"(*bool)${CONST.REST_REQUEST}": true
}
}
}
]
}
Edit Action
Manage the ability to edit a term. The sample statement below denies editing the "history" category if a user's email domain is different than example.com
.
{
"Statement": [
{
"Effect": "deny",
"Resource": "Term:category:history",
"Action": [
"Edit"
],
"Condition": {
"NotLike": {
"${USER.user_email}": "*@example.com"
}
}
}
]
}
Delete Action
Manage the ability to delete a term. The sample statement restricts the ability to delete the image category that has id 7
.
{
"Statement": [
{
"Effect": "deny",
"Resource": "Term:image_category:7",
"Action": "Delete"
}
]
}
Assign Action
Manage the ability to assign a term to posts. It is a helpful constraint if you do not want your users to assign posts to any given term. For example, the statements below restrict the ability to assign regular WordPress posts to all categories except the "Uncategorized".
{
"Statement": [
{
"Effect": "deny",
"Resource": "Taxonomy:category:terms",
"Action": [
"Assign"
]
},
{
"Effect": "allow",
"Resource": "Term:category:uncategorized",
"Action": [
"Assign"
]
}
]
}
Target term's posts
The Term
resource is a good option to target all posts that are tagged or assigned to a specific term. In this case, you can use all supported Post resource actions.
For example, the following statement denies the ability to see, directly access, and comment on posts that belong to the "courses" category.
{
"Statement": [
{
"Effect": "deny",
"Resource": "Term:category:courses:posts",
"Action": [
"List",
"Read",
"Comment"
]
}
]
}