WooCommerce User Roles and Permissions

WooCommerce extends WordPress's user role system with eCommerce-specific capabilities. Understanding roles and permissions is critical for secure, efficient store operations and proper team access management.

WooCommerce User Roles

Administrator

Full store control with access to all WordPress and WooCommerce features.

Capabilities:

• Manage all store settings
• Install/activate plugins and themes
• Manage all products, orders, customers
• Access payment gateway credentials
• Configure shipping and tax settings
• Manage user accounts and roles
• Access server files (via FTP/hosting panel)

Use Cases:

• Store owner
• Technical manager
• Development team (with MFA enforced)

Security Recommendations:

• Limit to 1-2 people
• Enforce MFA (Multi-Factor Authentication)
• Use strong passwords
• Monitor login activity
• Never share credentials

// Check if user is administrator
if (current_user_can('manage_options')) {
    // Administrator-only code
}

Shop Manager

Day-to-day store management without WordPress core access.

Capabilities:

• Manage products (add, edit, delete)
• View and manage orders
• Manage customer accounts
• View reports and analytics
• Manage coupons and sales
• Configure WooCommerce settings
• Cannot: Install plugins, edit theme files, manage billing

Use Cases:

• Store manager
• Operations manager
• Inventory manager

Code Example:

// Check if user is shop manager
if (current_user_can('manage_woocommerce')) {
    // Shop Manager can access this
}

// Grant shop manager access to specific page
add_action('admin_menu', 'add_shop_manager_page');
function add_shop_manager_page() {
    add_submenu_page(
        'woocommerce',
        'Custom Report',
        'Custom Report',
        'manage_woocommerce', // Capability required
        'custom-report',
        'render_custom_report'
    );
}

Customer

Purchase and account management capabilities.

Capabilities:

• Place orders
• View order history
• Manage account details (address, password)
• Download purchased digital products
• View subscription status (if using subscriptions)
• Cannot: Access admin dashboard, view other customers' data

Use Cases:

• Any registered shopper
• Wholesale customers
• Subscription members

Code Example:

// Check if user is customer
if (is_user_logged_in() && !current_user_can('edit_posts')) {
    // Customer-specific functionality
}

// Get customer object
$customer = new WC_Customer(get_current_user_id());
$total_spent = $customer->get_total_spent();
$order_count = $customer->get_order_count();

Subscriber (Standard WordPress Role)

No WooCommerce capabilities by default.

Capabilities:

• Read content
• Comment on posts
• Manage own profile

Use Cases:

• Blog readers
• Newsletter subscribers
• Pre-customers (before first purchase)

Custom Roles

Many stores need custom roles for specific use cases:

Product Editor

Can edit products but not manage orders:

// Create Product Editor role
add_action('init', 'create_product_editor_role');
function create_product_editor_role() {
    add_role('product_editor', 'Product Editor', array(
        'read' => true,
        'edit_products' => true,
        'edit_published_products' => true,
        'publish_products' => true,
        'delete_products' => true,
        'upload_files' => true,
        'read_private_products' => true
    ));
}

Order Fulfillment Specialist

Can manage orders but not products or settings:

// Create Order Fulfillment role
add_action('init', 'create_order_fulfillment_role');
function create_order_fulfillment_role() {
    add_role('order_fulfillment', 'Order Fulfillment', array(
        'read' => true,
        'edit_shop_orders' => true,
        'read_shop_orders' => true,
        'edit_others_shop_orders' => true,
        'publish_shop_orders' => true,
        'read_private_shop_orders' => true
    ));
}

Marketing Manager

Can view reports and manage coupons:

add_action('init', 'create_marketing_manager_role');
function create_marketing_manager_role() {
    add_role('marketing_manager', 'Marketing Manager', array(
        'read' => true,
        'view_woocommerce_reports' => true,
        'manage_woocommerce' => false,
        'edit_shop_coupons' => true,
        'read_shop_coupons' => true,
        'delete_shop_coupons' => true,
        'publish_shop_coupons' => true,
        'edit_published_shop_coupons' => true
    ));
}

WooCommerce Capabilities Reference

Product Capabilities

Order Capabilities

Coupon Capabilities

General WooCommerce Capabilities

Managing Roles and Capabilities

Using Plugins

Recommended Plugins:

• Members - Simple role/capability editor
• User Role Editor - Advanced role management
• WooCommerce Advanced Permissions - WooCommerce-specific

Programmatically Adding Capabilities

// Add capability to existing role
$role = get_role('shop_manager');
$role->add_cap('manage_custom_feature');

// Remove capability from role
$role->remove_cap('delete_products');

// Check if role has capability
if ($role->has_cap('manage_woocommerce')) {
    // Role has this capability
}

Checking User Capabilities

// Check current user capability
if (current_user_can('manage_woocommerce')) {
    // User can manage WooCommerce
}

// Check specific user capability
$user = get_user_by('id', 123);
if ($user && user_can($user, 'edit_products')) {
    // This user can edit products
}

// Check multiple capabilities
if (current_user_can('edit_products') && current_user_can('publish_products')) {
    // User can both edit and publish
}

Role-Based Access Control (RBAC)

Restrict Admin Pages by Role

// Restrict WooCommerce reports to specific roles
add_action('admin_menu', 'restrict_woocommerce_reports');
function restrict_woocommerce_reports() {
    if (!current_user_can('view_woocommerce_reports') && !current_user_can('manage_woocommerce')) {
        remove_submenu_page('woocommerce', 'wc-reports');
    }
}

Hide Products from Specific Roles

// Hide specific products from non-admin users
add_filter('woocommerce_product_is_visible', 'hide_products_from_customers', 10, 2);
function hide_products_from_customers($visible, $product_id) {
    // Hide wholesale products from retail customers
    if (!current_user_can('view_wholesale_products')) {
        $product = wc_get_product($product_id);
        if ($product && $product->get_meta('_wholesale_only') === 'yes') {
            return false;
        }
    }
    return $visible;
}

Role-Based Pricing

// Apply different pricing for different roles
add_filter('woocommerce_product_get_price', 'role_based_pricing', 10, 2);
function role_based_pricing($price, $product) {
    if (!is_user_logged_in()) {
        return $price;
    }

    $user = wp_get_current_user();

    // Wholesale customers get 20% discount
    if (in_array('wholesale_customer', $user->roles)) {
        return $price * 0.80;
    }

    // VIP customers get 15% discount
    if (in_array('vip_customer', $user->roles)) {
        return $price * 0.85;
    }

    return $price;
}

Permission Best Practices

1. Principle of Least Privilege

Grant only the minimum permissions needed:

// Good: Specific capability
if (current_user_can('edit_products')) {
    // Allow editing products
}

// Bad: Overly broad capability
if (current_user_can('manage_options')) {
    // Too much access for simple task
}

2. Time-Limited Access

Grant temporary elevated permissions:

// Grant temporary admin access
function grant_temporary_admin($user_id, $days = 7) {
    $user = get_user_by('id', $user_id);
    $user->add_role('administrator');

    // Schedule removal
    wp_schedule_single_event(
        time() + ($days * DAY_IN_SECONDS),
        'remove_temporary_admin',
        array($user_id)
    );
}

add_action('remove_temporary_admin', 'remove_admin_role');
function remove_admin_role($user_id) {
    $user = get_user_by('id', $user_id);
    $user->remove_role('administrator');
}

3. Audit User Access

// Log capability checks
add_filter('user_has_cap', 'log_capability_checks', 10, 4);
function log_capability_checks($allcaps, $caps, $args, $user) {
    // Log sensitive capability checks
    $sensitive_caps = array('manage_options', 'manage_woocommerce', 'delete_users');

    foreach ($caps as $cap) {
        if (in_array($cap, $sensitive_caps)) {
            error_log(sprintf(
                'User %d checked for capability: %s (granted: %s)',
                $user->ID,
                $cap,
                isset($allcaps[$cap]) && $allcaps[$cap] ? 'yes' : 'no'
            ));
        }
    }

    return $allcaps;
}

4. Separate Development and Production Access

// Restrict admin access on production
if (defined('WP_ENV') && WP_ENV === 'production') {
    add_filter('user_has_cap', 'restrict_production_admin', 10, 4);
    function restrict_production_admin($allcaps, $caps, $args, $user) {
        // Only allow specific users admin access on production
        $allowed_admin_emails = array('owner@example.com', 'manager@example.com');

        if (in_array('manage_options', $caps) && !in_array($user->user_email, $allowed_admin_emails)) {
            unset($allcaps['manage_options']);
        }

        return $allcaps;
    }
}

Troubleshooting Role Issues

User Can't Access Expected Features

// Debug user capabilities
function debug_user_capabilities($user_id) {
    $user = get_user_by('id', $user_id);

    echo '<h3>User: ' . $user->display_name . '</h3>';
    echo '<h4>Roles:</h4>';
    print_r($user->roles);

    echo '<h4>Capabilities:</h4>';
    print_r($user->allcaps);
}

// Usage: debug_user_capabilities(123);

Reset Default WooCommerce Roles

// Reset WooCommerce roles to defaults
function reset_woocommerce_roles() {
    // Remove existing roles
    remove_role('shop_manager');
    remove_role('customer');

    // Reinstall WooCommerce roles
    if (class_exists('WooCommerce')) {
        WC_Install::create_roles();
    }
}

Next Steps

• Adding and Removing Users - User management workflows
• User Management Overview - General user management concepts

Related Resources

• WordPress Roles and Capabilities
• WooCommerce User Roles
• Members Plugin