thatguygriff
b4acae34a3
WordPress administrators (manage_options) now implicitly hold every studio-admin capability via a user_has_cap filter, so the site owner runs the studio without being assigned the separate us_studio_admin role. The grant persists nothing and is removed on deactivation. The us_studio_admin role still exists for non-administrator staff and does NOT confer any core WordPress admin powers. Also re-gate the studio-wide "Scheduler" dashboard off manage_options onto a new view_all_lessons capability (added to the studio-admin cap set), so a us_studio_admin user can see it too — previously it was administrator-only. - RoleManager: STUDIO_ADMIN_CAPS constant, CAP_VIEW_ALL_LESSONS, grantStudioCapsToAdministrators() user_has_cap filter - AdminMenu + LessonController: Scheduler gated on view_all_lessons - Docs: user-roles.md cap matrix + administrator note; lesson-booking.md - Tests: administrators receive studio caps; non-admins do not Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
4.2 KiB
Feature: User Roles
Overview
Three custom WordPress user roles control access to all scheduling features: a studio admin who runs the business, instructors who teach, and students who book.
Roles
Studio Admin (us_studio_admin)
Runs the studio. Logs in via standard wp-admin. Can:
- Create instructor accounts and set/revoke each instructor's capabilities
- Manage offerings, intake questions, and policies
- Configure Stripe credentials and per-student billing overrides (card / e-transfer / comp)
- View the studio-wide scheduler (all upcoming lessons across instructors)
- View the all-instructor payments report and export it
Capabilities: read, manage_instructors, manage_offerings, manage_questions, manage_policies, manage_billing, view_all_lessons, view_all_payments, export_payments
Any WordPress administrator (
manage_options) implicitly holds every studio-admin capability above, so the site owner runs the studio without being assigned theus_studio_adminrole. This is applied dynamically via theuser_has_capfilter (RoleManager::grantStudioCapsToAdministrators()) — it persists nothing and is removed when the plugin is deactivated. Theus_studio_adminrole exists for non-administrator staff who manage the studio.
Instructor (us_instructor)
Created by the studio admin. Logs in via standard wp-admin. Can:
- Manage their own availability slots (add/delete), including weekly-recurring windows
- Manage their own offerings and intake questions
- View their upcoming confirmed/pending lessons and group enrolments
- View and export their own payments
Capabilities: read, manage_availability, manage_offerings, manage_questions, view_own_lessons, view_own_payments, export_payments
Student (us_student)
Logs in via the front-end [us_student_login] shortcode. Can:
- Browse available lesson slots and offerings from all instructors
- Book a private lesson (single or weekly) and enrol in group classes
Capabilities: read, book_lesson, view_own_lessons
Capability Matrix
| Capability | Studio Admin | Instructor | Student | Used by |
|---|---|---|---|---|
manage_instructors |
✓ | Instructor management | ||
manage_availability |
✓ | Availability | ||
manage_offerings |
✓ | ✓ (own) | Offerings | |
manage_questions |
✓ | ✓ (own) | Registration questions | |
manage_policies |
✓ | Policies | ||
manage_billing |
✓ | Payments (Stripe + overrides) | ||
book_lesson |
✓ | Lesson booking / enrolment | ||
view_all_lessons |
✓ | Scheduler dashboard | ||
view_own_lessons |
✓ | ✓ | Lesson + group views | |
view_own_payments |
✓ | Payment reporting | ||
view_all_payments |
✓ | Payment reporting | ||
export_payments |
✓ | ✓ (own) | Payment reporting export |
Instructor Management
The studio admin gets an Instructors admin page (gated by manage_instructors)
to add an instructor — creating the WP user with the us_instructor role — and to
toggle that instructor's per-capability access (e.g. whether they may manage their
own offerings/questions or export payments). The studio admin cannot grant a
capability it does not itself hold.
Implementation
- Class:
Unsupervised\Schedular\Auth\RoleManager - Instructor management controller:
Unsupervised\Schedular\Auth\InstructorController - Roles are created on
plugins_loaded → initand on plugin activation viaInstaller. - Permissions are checked with
current_user_can()against the capability string, not the role name.
Tests
tests/Unit/Auth/RoleManagerTest.phptests/Unit/Auth/InstructorControllerTest.php