How to Restrict Table Export to Specific WordPress Roles

Not everyone who can view a table should be able to download its contents. A public directory table might be fine for browsing but inappropriate to export in bulk. An internal reporting table might be safe for employees to view but restricted to managers for export. TableCrafter's export permissions system controls exactly who sees the export button and who can actually trigger a download at the API level. WordPress powers 43% of all websites globally (W3Techs, July 2026), and TableCrafter bridges the gap between the data you collect and the tables your users need to see, no custom PHP, no dashboard access required for viewers, and no per-row limits on the free tier. The free version on WordPress.org supports CSV, JSON, Google Sheets, and Excel. Pro adds Gravity Forms, Airtable, Notion, WooCommerce, REST APIs, inline cell editing, export to CSV/PDF, role-based column visibility, and auto-refresh. Every table embeds on. Auto-refresh tables reduce page reload frequency by 89% in live-data dashboard deployments (Kinsta performance benchmarks, 2024).
Why Export Permissions Are a Separate Concern?
Table visibility and export access are independent settings in TableCrafter. A table can be fully visible to all users — including logged-out visitors — while export is restricted to authenticated users with a specific WordPress role. This separation exists because the ability to view data row-by-row and the ability to bulk-download the entire dataset represent meaningfully different levels of data access, even when the underlying data is the same.
This decoupling is the right design for most use cases:
- Public visitors can browse a product catalog or staff directory table without being able to export a competitor-usable bulk list of all products with pricing.
- Only administrators can download the full dataset for CRM import, while customers can still read the searchable table.
- Registered customers can export their own order history (row-level scope, filtered by current user) while other customers cannot export each other's orders.
- Managers can export team data for reporting; individual contributors see the same data but cannot download it.
Configure table view permissions under Access → Minimum role to view, and export permissions under Access → Minimum role to export. These can be set to different roles on the same table configuration.
How Do I Configure Export Permissions?
Export permissions are set per-table in the TableCrafter admin.
- Go to TableCrafter > Tables and click Edit on the target table.
- Open the Export tab.
- Find the Who can export? setting.
- Choose one of the available options.
The available export permission levels are:
- Everyone: Any visitor, logged in or not, can trigger an export.
- Logged-in users only: Any authenticated WordPress user can export, regardless of role.
- Specific roles: Only users with one or more selected WordPress roles can export. You select roles from a checkbox list that includes all roles registered on your site.
- Admins only: Shorthand for restricting export to users with the
administratorrole and themanage_optionscapability.
administrator and editor to export while blocking subscriber and logged-out visitors.What Happens When a User Cannot Export?
Export permission enforcement happens at two layers: the UI and the API.
UI Layer: Button Hidden
When a user views the table and does not have export permission, the export button is simply not rendered in the table toolbar. There is no disabled button or grayed-out state, the button does not exist in the page HTML for that user. Users with export permission see the button; users without it do not. No explanation or error message is shown.
API Layer: Request Blocked
Hiding the button is not sufficient security on its own, because a technically capable user could construct a direct HTTP request to the export endpoint. TableCrafter blocks this at the server level: the export API endpoint checks the current user's capabilities before generating the file.
If an unauthorized request hits the export endpoint, whether from a direct URL, a script, or a browser tool, the server returns a 403 Forbidden response. No file is generated. No data is returned. The check uses WordPress's native current_user_can() function against the required capability for the configured role.
How Does Combining Export Permissions with Row-Level Visibility Work?
TableCrafter supports row-level visibility rules that show users only their own records. For example, a table of orders might show each customer only their own orders. When export permissions and row-level visibility are both configured:
- A customer with export permission downloads only their own rows.
- An administrator with export permission downloads all rows (because row-level visibility is typically bypassed for admin roles).
This combination gives you fine-grained control: customers can self-service their own data export without seeing anyone else's data.
After completing this step, verify the result by viewing the page as a logged-out visitor in an incognito window. This confirms the table behaves correctly for public visitors rather than reflecting admin-level permissions that may hide configuration issues during initial setup. Check both the rendered output and the browser console for any JavaScript errors.
How Does Permission Configuration Examples Work?
Table visibility: Everyone. Export permission: Admins only. Visitors can browse; only admins can bulk-download the directory.
Table visibility: Logged-in users. Export permission: Editor + Administrator roles. Team members can view; only editors and admins can export.
Table visibility: Logged-in users (own rows only). Export permission: Logged-in users. Each customer can export their own order history.
Table visibility: Admins only. Export permission: Admins only. Entire table is admin-gated; export follows the same restriction.
The column mapping you define here is stored as a JSON configuration in the WordPress database. You can export this configuration using the TableCrafter export tool and import it to another table or another site. This is useful when replicating a table layout across multiple pages or when migrating a table to a staging environment for testing before going live.
How Does Checking Current User Role in WordPress Work?
If you are unsure what role a specific user on your site has, check it in WordPress Admin > Users. Each user's role appears in the Role column. The roles available in the TableCrafter export permission selector match whatever roles are registered on your WordPress installation, including custom roles added by membership plugins or other tools.
TableCrafter re-fetches this data on each page load by default. If your data source updates infrequently and your site has significant traffic, enable the built-in caching option in the table's Performance tab. This stores the fetched data for a configurable number of minutes and serves it from WordPress transients, reducing API calls to the source and improving page load time for visitors.
wholesale_customer, manager), those custom roles appear in the TableCrafter role selector automatically. No configuration is needed to register them.How Does Auditing Export Access Work?
TableCrafter does not currently log export events to a database audit trail by default. If you need a record of who exported what and when, consider adding a WordPress activity log plugin (such as WP Activity Log or Simple History) alongside TableCrafter. These plugins hook into WordPress's action system and can capture custom events fired by TableCrafter, including the export trigger action that fires when a user initiates a CSV, Excel, or PDF export.
To set up basic export auditing: install an activity log plugin, configure it to track custom plugin actions, and look for the tablecrafter_export_triggered action hook that fires with the table ID and user ID as parameters. The log then records the timestamp, user display name, user role, and table name for each export event. This approach works without modifying TableCrafter files and survives plugin updates.
If you need stricter export controls — for example, limiting exports to specific tables for specific users rather than a blanket minimum-role rule — contact TableCrafter support about per-table per-user export permission overrides, which are available as a configuration option in Pro plans.
What Are the Next Steps?
With export permissions locked down by role, you can safely enable export on tables that contain sensitive data without exposing bulk download capability to unintended users. From here, explore scheduling automatic exports by email so privileged users receive data on a schedule without needing to visit the site at all, covered in the scheduled export guide in this series.
Frequently Asked Questions
How Does Why Export Permissions Are a Separate Concern Work?
Table visibility and export access are independent settings. A table can be fully visible to all users, including logged-out visitors, while export is restricted to authenticated users with a specific WordPress role. This is the right separation for most use cases:
What Is TableCrafter?
TableCrafter is a WordPress plugin that turns data from Gravity Forms, Google Sheets, Airtable, Notion, REST APIs, CSV files, and WooCommerce into interactive, sortable, filterable frontend tables. Embed any table on any WordPress page with the [tablecrafter] shortcode or the native Gutenberg block. No PHP or custom development required. The free version supports CSV, JSON, Google Sheets, and Excel. Pro adds Gravity Forms, Airtable, Notion, WooCommerce, REST APIs, inline cell editing, export to CSV and PDF, role-based column visibility, and auto-refresh.
Does this require PHP or developer skills?
No. TableCrafter is configured entirely through the WordPress admin interface. You choose your data source, map fields to columns, and set display preferences using point-and-click controls. Embedding uses the [tablecrafter] shortcode or the native Gutenberg block.
Is the free version sufficient or do I need Pro?
The free plugin on WordPress.org supports CSV, JSON, Google Sheets, and Excel sources with unlimited tables, rows, and columns. Pro adds Gravity Forms, Airtable, Notion, WooCommerce, REST API sources, inline cell editing, bulk row actions, export to CSV and PDF, role-based column visibility, and auto-refresh every N seconds.
Ready to try it?
TableCrafter is free on WordPress.org. Pro unlocks inline editing, role-based permissions, and advanced data sources.