I don’t know if it’s really a problem, but I think it’s relevant: any user with the capability ‘edit_page’ can access the ACF main page and create field groups.
Even the ACF menu item doesn’t appears for that user roles, if the user put the direct url (wp-admin/edit.php?post_type=acf) it’s possible to access the page and create groups & fields.
The capability_type ‘page’ is intentional? Maybe could be safer change it to a
higher capability.
Cheers!
Viewing 1 post (of 1 total)
The topic ‘ACF is accessible not only for admins’ is closed to new replies.
Welcome
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
We use cookies to offer you a better browsing experience, analyze site traffic and personalize content. Read about how we use cookies and how you can control them in our Cookie Policy. If you continue to use this site, you consent to our use of cookies.
