reilnuud indeed it is possible and there are gazillion ways to do that. I'll outline only one that I've put together in 15 minutes.
So, in your case, you need to combine two content access settings HIDDEN & EDIT in the way that user can see ONLY pages that can be edited by the user.
Note! You've said that security is not the concern, so I did not implement it in a secure way. Which means, the RESTful API endpoint has no authentication whatsoever.
So the game plan here is the following: we are going to set default access to all pages by hiding them and restricting to edit them ONLY when you hit custom RESTful API endpoint /wp-json/aam-demo/v1/user/<id>/pages where <id> is the numeric user id. Then we override access to ONLY one of a few pages that are allowed to be edited by the user.
Note! There are many ways to define what pages the user is allowed to manage. In this example, I'm using access policy to determine what pages the user is allowed to edit.
These are the implementation steps:
- Register the new API endpoint and test that it works. You can quite literally, copy & paste the following code that registers new WP plugin and does all the magic:
<?php
/**
* Plugin Name: AAM Cauldron
* Description: Just a playground for any AAM custom code
* Version: 0.0.1
* Author: Vasyl Martyniuk <vasyl@vasyltech.com>
* Author URI: https://vasyltech.com
*
* -------
* LICENSE: This file is subject to the terms and conditions defined in
* file 'LICENSE', which is part of AAM Protected Media Files source package.
**/
/**
* Main add-on's bootstrap class
*
* @package AAM\AddOn\Cauldron
* @author Vasyl Martyniuk <vasyl@vasyltech.com>
* @version 0.0.1
*/
class AAMCauldronBootstrap
{
/**
* Single instance of itself
*
* @var AAM\AddOn\Cauldron\Bootstrap
*
* @access private
* @version 0.0.1
*/
private static $_instance = null;
/**
* Initialize the object
*
* @return void
*
* @access protected
* @version 0.0.1
*/
protected function __construct()
{
if (!is_admin()) {
add_shortcode('aam-demo', function ($args, $content) {
require __DIR__ . '/button.phtml';
});
// Register API endpoint
add_action('rest_api_init', array($this, 'registerAPI'));
}
}
/**
* Register API
*
* @return void
*
* @access public
*/
public function registerAPI()
{
// Validate JWT token
register_rest_route('aam-demo/v1', '/user/(?P<id>\d+)/pages', array(
'methods' => 'GET',
'callback' => array($this, 'fetchPages'),
'args' => array(
'id' => array(
'description' => __('Username ID.', AAM_KEY),
'type' => 'int',
)
),
));
}
/**
* Fetch the list of allowed pages
*
* @param WP_REST_Request $request
*
* @return WP_REST_Response
*
* @access public
*/
public function fetchPages(WP_REST_Request $request)
{
wp_set_current_user($request->get_param('id'));
$pages = get_posts(array(
'post_type' => 'page',
'post_status' => 'publish',
'suppress_filters' => false
));
return new WP_REST_Response($pages);
}
/**
* Initialize and get single instance of itself
*
* @return AAM\AddOn\Cauldron\Bootstrap
*
* @access public
* @version 0.0.1
*/
public static function init()
{
if (is_null(self::$_instance)) {
self::$_instance = new self;
}
return self::$_instance;
}
}
if (defined('ABSPATH')) {
add_action('init', function() {
AAMCauldronBootstrap::init();
});
}
button.phmlt
<input class="button button-primary button-large" id="aam-demo" value="Send Request" type="button" />
<script>
(function() {
var c = document.getElementById("aam-demo");
if (c) {
c.addEventListener("click", function() {
c.disabled = !0;
var a = new XMLHttpRequest;
a.addEventListener("readystatechange", function() {
if (4 === this.readyState) {
c.disabled = !1;
console.log(JSON.parse(this.responseText));
}
});
a.open("GET", "<?php echo get_rest_url(null, 'aam-demo/v1/user/' . get_current_user_id() . '/pages'); ?>");
a.setRequestHeader("Content-Type", "application/json");
a.setRequestHeader("Accept", "application/json");
a.send();
})
}
})();
</script>
- The plugin above also registers a new shotcode
[aam-demo] that renders a simple button on the frontend that sends RESTful API request to the newly registered API endpoint:
- On the AAM page, navigate to the Access Policy tab and create a new policy:
{
"Version": "1.0.0",
"Dependency": {
"wordpress": ">=5.4.2",
"advanced-access-manager": ">=6.5.4",
"${CONST.AAM_PLUS_PACKAGE}": {
"Name": "Plus Package",
"Version": ">=5.2.0",
"URL": "https://aamplugin.com/pricing/plus-package"
}
},
"Statement": [
{
"Effect": "deny",
"Resource": "PostType:page:posts",
"Action": [
"List",
"Edit"
],
"Condition": {
"Like": {
"${PHP_SERVER.REQUEST_URI}": "/wp-json/aam-demo/v1/user/*/pages"
}
}
},
{
"Effect": "allow",
"Resource": ["Post:page:your-page-slug-1", "Post:page:your-page-slug-2"],
"Action": [
"List",
"Edit"
],
"Condition": {
"Equals": {
"(*int)${USER.ID}": 1
}
}
}
]
}
Then simply attach this policy to everybody:
- The policy has two statements, the first one sets default access to all pages, and the second statement allows access only to two pages for the user with ID 1. You can customize the second statement to match your desired pages.
The result you can see in the browser console when you click on "Send Request" button:
Feel free to continue the conversation.
