Rootstuff Block Permissions

Rootstuff Block Permissions is a lightweight, agency-focused plugin that lets you decide which Gutenberg blocks and patterns each user role can see, on each post type. Tick what you want hidden, save, and your clients only see the blocks they actually need.

Unlike generic block managers, every rule is scoped by role and post type, so editors can have a different toolkit on Pages than on Posts, contributors can be locked down further, and administrators can be exempt entirely (or included for previewing the client experience).

What it does

• Hide any registered block from the inserter — core, theme, plugin, ACF blocks, anything.
• Hide block patterns the same way.
• Optional per-role overrides (Editor, Author, Contributor, custom roles).
• Optional per-post-type overrides (Posts, Pages, custom post types).
• Combine both: e.g. “Editor on Page only” gets a different set than “Editor on Post”.
• Disable the WordPress.org remote pattern directory.
• Disable WordPress core patterns entirely.

Why a separate plugin

Most block-management plugins are global — they hide a block for everyone, everywhere. That breaks down the moment you have multiple client roles or different post types with different needs. Rootstuff Block Permissions lets you say “hide the Cover block for Authors on Pages, but keep it for Editors on Posts” without writing any code.

Mental model

The plugin is a denylist. An empty list means nothing is blocked. You tick what you want to hide. New blocks added to the site later are automatically allowed unless you come back and tick them.

A default rule applies to everyone unless you create an override. Overrides are matched most-specific-first:

1. Exact role and exact post type
2. That role on any post type
3. Any role on that post type
4. The default rule
5. None of the above — no restrictions

Multi-role users get the least restrictive of their roles’ resolved rules: a block is hidden only if every one of their roles’ rules hides it.

Administrators

By default, administrators bypass all restrictions. There’s an “Apply to administrators” toggle so you can preview the client experience without switching accounts.

Privacy

The plugin stores its configuration in a single WordPress option (rootstuff_bp_settings). It does not connect to any external service, send analytics, or store data about your users.

Development

Source code is available on GitHub: https://github.com/rootstuff/rootstuff-block-permissions

The build/admin.js file is generated from the src/ directory using @wordpress/scripts. To rebuild from source:

1. Clone the repository.
2. Run npm install.
3. Run npm run build.