=== Limited Admin Role By HEMDOX Digital === Contributors: minhaz52 Tags: role, user role, woocommerce, access control, admin Requires at least: 6.0 Tested up to: 6.9 Requires PHP: 7.4 Stable tag: 2.9.1 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html Adds a custom "Admin Panel Manager" role with granular capability controls, per-plugin access rules, and a configurable session timeout. == Description == **Limited Admin Role** adds a custom WordPress role called **Admin Panel Manager** that gives a user broad content and product management access — but blocks access to WooCommerce Orders, Customers, Users, and sensitive reports. **Key Features:** * 🔐 Granular capability grid — enable or disable every WordPress & WooCommerce capability from the settings UI, organized into 15 categories * 🚫 Block WooCommerce Orders, Customers, Analytics, and WordPress Users (menu + URL + REST API) * 🧩 Plugin Access Deny — per-plugin admin page blocking via a dedicated submenu * 🔑 Plugins view-only — can see installed plugins list but cannot install/activate/deactivate/update/delete * 🕐 Configurable session timeout (default 12 hours) — forces logout regardless of "Remember Me" * ✅ Compatible with Rank Math, Yoast SEO, WooCommerce HPOS, and Cloudflare **Capability Categories:** * Core Access, Posts, Pages, Media, Appearance & Themes * Plugins, Users, WordPress Updates * WooCommerce Products, Orders, Coupons, Reports & Analytics, Settings, Customers * Comments == Installation == 1. Upload the `limited-admin-role` folder to `/wp-content/plugins/` or install via **Plugins → Add New → Upload Plugin**. 2. Activate the plugin through the **Plugins** menu. 3. The **Admin Panel Manager** role is created automatically on activation. 4. Configure settings at **Limited Admin Role** in the WordPress admin sidebar. 5. Assign the role to users via **Users → Add New** or **Users → Edit User → Role**. == Frequently Asked Questions == = How do I assign the role to a user? = Go to **Users → Add New** and set the Role dropdown to **Admin Panel Manager**. Or edit an existing user and change their role. = Can I change which capabilities are granted? = Yes. Go to **Limited Admin Role → Settings → Capabilities tab**. Every capability is listed with a checkbox — check to grant, uncheck to deny. Changes apply immediately on save. = How does the session timeout work? = On login, the plugin records a timestamp. On every admin page load, it checks if the elapsed time exceeds the configured limit (default: 12 hours). If so, the session is destroyed and the user is redirected to the login page with a "Session expired" message. The auth cookie is also clamped so "Remember Me" cannot extend beyond the limit. = Can the user install or activate plugins? = No. Plugin installation, activation, deactivation, update, and deletion are always blocked. The user can view the installed plugins list (read-only). You can toggle even view access from the Capabilities tab (activate_plugins cap). = How does Plugin Access Deny work? = Go to **Limited Admin Role → Plugin Access Deny**. Every active plugin and its detected admin pages are listed. Check any pages to block them for the Admin Panel Manager role. = Is it compatible with WooCommerce HPOS? = Yes. Both the legacy `post_type=shop_order` URL and the new HPOS `page=wc-orders` URL are blocked. = Does it work with Rank Math and Yoast SEO? = Yes. Both plugins show their meta boxes to any user with `edit_posts` capability, which this role has by default. == Screenshots == 1. Settings page — General tab (session timeout, SEO plugin, role summary) 2. Settings page — Capabilities tab (categorized checkbox grid) 3. Settings page — Menu & URL Blocks tab (quick-toggle switches) 4. Plugin Access Deny submenu (per-plugin page blocking) 5. Plugins page as seen by the managed role (view-only, no action links) == Changelog == = 2.3.0 = * Fixed: Rank Math REST API calls (/wp-json/rankmath/v1/updateSettings) returning 403 — SEO plugin REST routes are now always whitelisted * Fixed: manage_options is temporarily elevated during any SEO plugin REST request so save/update operations work correctly * Improved: Capabilities tab now shows SEO plugin sections only when that plugin is actually installed — each setting as its own row, all defaulting to enabled * Improved: Rank Math redirections, 404 monitor, analytics, site analysis — all individually controllable per row * Improved: Yoast and AIOSEO caps similarly separated with all defaults on = 2.2.0 = * Fixed: Replaced inline <style> echo in access control with wp_add_inline_style() (WordPress.org requirement) * Fixed: Replaced inline <style> and <script> in Plugin Access Deny page with wp_add_inline_style() and wp_add_inline_script() (WordPress.org requirement) * Improved: Plugin Access Deny now uses explicit slug patterns for Rank Math, Yoast, AIOSEO, WooCommerce and other major plugins — all their admin pages reliably appear in the deny list * Added: Author URI field in plugin header * Updated: Contributors field in readme.txt = 2.1.0 = * Fixed: SEO plugins (Rank Math, Rank Math Pro, Yoast SEO, Yoast Premium, AIOSEO, AIOSEO Pro) now fully unrestricted — all caps pass through freely * Added: SEO Plugins capability category with 15 caps across all supported plugins * Added: Auto-detection of active SEO plugins shown on General tab * Fixed: WordPress.Security.EscapeOutput errors (escaped $found with wp_kses, $bg with esc_attr) = 2.0.0 = * Added full capabilities registry with 15 categorized sections * Added per-capability checkbox grid in settings UI * Added Plugin Access Deny submenu for per-plugin admin page blocking * Added Grant All / Deny All per category, search/filter, Restore Defaults * Added toggle switches for quick access blocks * Added unsaved-changes warning in settings * Rebuilt settings page with tabbed UI * All v1 features preserved = 1.1.0 = * Added plugin view-only mode (can see installed plugins list, all actions blocked) * Added CSS hiding of plugin action links and bulk-action controls * Removed Plugins menu from sidebar (now kept visible as read-only) = 1.0.0 = * Initial release * Custom Admin Panel Manager role * WooCommerce Orders, Customers, Users, Reports blocking * 12-hour session timeout with configurable settings page * REST API blocking for orders, customers, users * Compatible with Rank Math, Yoast SEO, WooCommerce HPOS == Upgrade Notice == = 2.0.0 = Major update. After upgrading, visit Limited Admin Role → Settings → Capabilities to review and save your capability preferences. Existing block settings (Orders, Customers, Users, Reports) are preserved. == License == This plugin is licensed under the GNU General Public License v2.0 or later. Full license text: https://www.gnu.org/licenses/gpl-2.0.html