Admin bypass for GravityBoard permissions
By default, GravityBoard grants WordPress administrators and Gravity Forms administrators full access to every board, including permission to view, add, edit, move, and delete cards and lanes, regardless of what is selected in the board’s Permissions tab. This article explains that behavior and how to override it for your site.
Who is treated as an admin? #
GravityBoard treats a user as an admin (and grants them full access) if they have either of the following WordPress capabilities:
| Capability | Typical role | Why it qualifies |
|---|---|---|
manage_options | WordPress Administrator | Core WordPress capability for full site management. |
gform_full_access | Gravity Forms admin | Grants unrestricted access to Gravity Forms. Users who manage forms but are not WordPress administrators will usually have this. |
If a user has at least one of these capabilities, every permission check inside GravityBoard returns true before the board’s role settings are ever consulted.
What does โfull accessโ cover? #
The admin bypass applies to every action GravityBoard permission-checks, including:
- Viewing a board and fetching its entries
- Adding, editing, moving, and deleting cards
- Adding, renaming, reordering, and deleting lanes
- Reading, creating, and deleting entry notes
- Uploading and deleting attachments
- Managing checklists and checklist items
- Voting on cards (when the Voting feature is in use)
Permissions configured in the Permissions tab of the board settings are still respected for every non-admin user. The bypass only affects users who hold manage_options or gform_full_access.
Overriding the default with a filter #
Developers can change which users are granted the admin bypass using the gk/gravityboard/permissions/admin-has-full-access filter. This filter runs inside GravityBoard\Helpers::admin_has_full_access() and its result is cached per user for the duration of the request, so it is safe to use on high-traffic sites.
Not sure where to add the code samples below? See Where to put code samples.
Filter signature
This is the filter as defined in the plugin source (src/Helpers.php):
/**
* Filters whether an admin user bypasses all board permission checks.
*
* @since 1.4.0
*
* @param bool $has_full_access Whether the user has full access. Default: true for admins.
* @param int $user_id The user ID being checked.
*/
$has_full_access = (bool) apply_filters(
'gk/gravityboard/permissions/admin-has-full-access',
$has_full_access,
$user_id
);| Argument | Type | Description |
|---|---|---|
$has_full_access | bool | Whether the user is currently considered an admin. Default: true if the user has manage_options or gform_full_access, otherwise false. |
$user_id | int | The ID of the user being checked. |
Example 1: Remove the bypass for everyone
Force every user, including site administrators, to obey the board’s Permissions tab:
add_filter(
'gk/gravityboard/permissions/admin-has-full-access',
'__return_false'
);Warning: After applying this filter, administrators will be locked out of any action that is not explicitly enabled for their role in each board’s Permissions tab. Make sure to grant the appropriate roles before deploying this change.
Example 2: Bypass only for a specific role
Grant full access to users in a custom board_manager role, regardless of whether they have manage_options:
/**
* Grant full GravityBoard access to users who can manage boards.
*
* @param bool $has_full_access Whether the user has full access.
* @param int $user_id The user ID being checked.
*
* @return bool
*/
add_filter(
'gk/gravityboard/permissions/admin-has-full-access',
function ( $has_full_access, $user_id ) {
if ( user_can( $user_id, 'manage_board' ) ) {
return true;
}
return $has_full_access;
},
10,
2
);Example 3: Exclude specific users from the bypass
Keep the default behavior, but exclude a specific user ID from receiving full access:
/**
* Exclude specific user IDs from the GravityBoard admin bypass.
*
* @param bool $has_full_access Whether the user has full access.
* @param int $user_id The user ID being checked.
*
* @return bool
*/
add_filter(
'gk/gravityboard/permissions/admin-has-full-access',
function ( $has_full_access, $user_id ) {
$excluded_user_ids = [ 42, 108 ];
if ( in_array( $user_id, $excluded_user_ids, true ) ) {
return false;
}
return $has_full_access;
},
10,
2
);Interaction with board-level permissions #
When a permission check runs, GravityBoard evaluates it in this order:
- If the selected roles for the action include the
enabledvalue (โEveryoneโ), access is granted. - If
admin_has_full_access()returnstruefor the user, access is granted. - If no roles are selected for the action, access is denied.
- Otherwise, each selected role or capability is checked against the user.
This means the admin bypass cannot be disabled by leaving the Permissions tab empty. You must use the filter above.
Troubleshooting #
An administrator can see actions I thought were restricted
This is expected. The board’s Permissions tab does not apply to users with manage_options or gform_full_access. Use the gk/gravityboard/permissions/admin-has-full-access filter to change this.
A non-admin user cannot perform an action
Open the board settings, switch to the Permissions tab, and confirm the user’s role is selected for that action. The admin bypass does not apply to users without manage_options or gform_full_access.
My filter is not running
- Confirm the callback is registered before GravityBoard checks permissions (the
plugins_loadedhook is a safe place). - Remember that the result is cached per user for the request. If you are toggling the filter dynamically, clear the cache by running your test in a fresh request.
- Make sure you declared
$user_idin the callback signature and passed10, 2as the priority and argument count toadd_filter().
