How to Restrict a WooCommerce Orders Table by WordPress Role

Updated July 2026 • 7 min read • By Fahad Murtaza

TableCrafter table builder, connect Gravity Forms, Google Sheets, Airtable, CSV, or JSON data sources
TableCrafter table builder, connect Gravity Forms, Google Sheets, Airtable, CSV, or JSON data sources

A single WooCommerce store typically needs at least three different views of order data: customers see only their own orders in read-only mode, shop managers see all orders and can edit status, and admins see everything including cost and margin columns. TableCrafter handles all three with separate table configurations and role-gated column visibility. This guide walks through each role configuration in full. WordPress powers 43% of all websites globally (W3Techs, July 2026), and TableCrafter bridges the gap between the data you collect and the tables your users need to see, no custom PHP, no dashboard access required for viewers. The free version on WordPress.org supports CSV, JSON, Google Sheets, and Excel. Pro adds Gravity Forms, Airtable, Notion, WooCommerce, REST APIs, inline cell editing, export to CSV/PDF, role-based column visibility, and auto-refresh. Every table embeds on any page with a [tablecrafter] shortcode or the native Gutenberg block. WooCommerce processes over 7 billion dollars in orders monthly across all installations (WooCommerce, 2024).

What Is the Three-Table Strategy?

The cleanest approach is to create three separate table configurations sharing the same WooCommerce Orders data source. Each config is tuned for one role's needs:

You then place the appropriate shortcode on the appropriate page, with each page restricted to the right role. Alternatively, you can use a single page and render all three shortcodes, TableCrafter's own role checks ensure each user sees only the table they have permission to view.

After completing this step, verify the result by viewing the page as a logged-out visitor in an incognito window. This confirms the table behaves correctly for public visitors rather than reflecting admin-level permissions that may hide configuration issues during initial setup. Check both the rendered output and the browser console for any JavaScript errors.

What Is Role 1: Customer, Read-Only, Own Orders Only?

Table Configuration

Go to TableCrafter → Tables → Add New in your WordPress admin. In the Table Name field, enter a descriptive label such as WooCommerce Orders, Customer View. A clear, role-specific name matters when you have multiple configurations for the same data source, since the name appears in the admin tables list and helps you identify the right config ID for each shortcode.

For Data Source, select WooCommerce: Orders. This connects the table to WooCommerce's order records. The data source itself returns all orders; customer-level row isolation is applied separately through the hidden filter configured below. Leave the Table ID field empty: TableCrafter assigns an auto-incremented numeric ID on first save. Note that ID after saving as you will need it for the shortcode placement step. Save the table once before proceeding to column configuration.

Columns

The customer-facing column set should contain only information the customer has a legitimate interest in seeing about their own orders. Omit all operational, financial, and business-internal fields.

Do not include cost price, margin, internal notes, billing phone, payment gateway tokens, or any business-internal field. If a customer can see a column, they can also export it.

Filters

The customer table requires exactly one filter, and it must be hidden from the user interface. This filter enforces row-level data isolation so that only orders belonging to the currently authenticated customer are returned.

The Current User filter type automatically resolves to the WordPress user ID of the authenticated visitor on each page load. TableCrafter applies this as a server-side condition before data is returned, so customers cannot bypass it by modifying query parameters, shortcode attributes, or browser requests. Because the filter is marked Hidden, no filter input renders in the table header. Customers see only their own orders with no indication that the view is scoped. Do not add any visible filters to this table; the table is intentionally minimal and controlled.

Access Settings

These three settings control who can see the table and what they can do with it. Configure them in the Access & Permissions panel of the table builder before saving.

Setting Roles that can edit to None is important here: even if edit="true" is accidentally added to the shortcode, no edit affordances will render for any visitor because the table-level permission overrides the shortcode parameter.

Shortcode

[tablecrafter id="5" search="true"]

The search="true" parameter enables a global full-text search bar above the table. Customers can type any order detail, product name, date fragment, or amount into the search bar and the table filters instantly without a page reload. This is the only interactive control on the customer table; all column-level filters are hidden through the current-user filter configuration above.

Place this shortcode on a dedicated My Orders page accessible to logged-in customers, or embed it within the WooCommerce My Account template. If you use the My Account page, be aware that WooCommerce already renders its own orders list there; a custom My Orders page avoids presenting duplicate lists to the customer. Set the page visibility to require login at the WordPress page level as an additional layer of access control beyond TableCrafter's own role check.

The column mapping you define here is stored as a JSON configuration in the WordPress database. You can export this configuration using the TableCrafter export tool and import it to another table or another site. This is useful when replicating a table layout across multiple pages or when migrating a table to a staging environment for testing before going live.

What Is Role 2: Shop Manager, All Orders, Status Editable?

Table Configuration

Go to TableCrafter → Tables → Add New. Name this configuration WooCommerce Orders, Shop Manager to distinguish it clearly from the customer-facing Table A in the admin list. Set the Data Source to WooCommerce: Orders, the same source as Table A. All three role-specific tables in this guide share the same underlying data source, which means changes to WooCommerce order data are reflected in all three table views without any synchronization step.

Because this configuration does not apply a current-user filter, shop managers see all orders from all customers. That is the intended scope for this role. Confirm this is appropriate for your team's data access policy before deploying. Note the table ID after saving, you will need it for the shop manager shortcode below.

Columns

The shop manager column set is broader than the customer view and includes operational fields needed for order fulfillment. It does not include cost or margin data, which is reserved for the administrator configuration.

Do not include cost price or margin columns. Shop managers should see what the customer paid, not the cost the business paid. Cost data belongs in the administrator-only Table C.

Filters

Unlike the customer table, the shop manager configuration exposes visible filters that let staff narrow the order list to the work they need to process right now. Configure two filters to be visible by default:

There is no current-user filter on this table. Shop managers see all orders from all customers, which is the correct scope for this role. Visibility is controlled at the table access level, not the row level.

Access Settings

These settings enforce that only shop managers and administrators can access this table configuration. Customers and lower roles receive the no-access message even if they somehow obtain the page URL.

Shortcode

[tablecrafter id="6" edit="true" filter="true" search="true" export="true"]

This shortcode activates inline editing (edit="true"), the column filter row (filter="true"), the global search bar (search="true"), and the CSV export button (export="true"). Shop managers can export the current filtered view for reconciliation or reporting without needing admin access to WooCommerce or GF exports.

Place this shortcode on a page restricted to the Shop Manager role. Use WordPress's built-in page visibility (Private or Password Protected) or a membership plugin to add a page-level restriction as a secondary layer beyond TableCrafter's own role check. This prevents the page HTML itself from being served to unauthenticated visitors, even before TableCrafter's role check runs.

What Is Role 3: Administrator, All Orders, All Columns?

Table Configuration

Go to TableCrafter → Tables → Add New. Name this configuration WooCommerce Orders, Admin. Set the Data Source to WooCommerce: Orders, the same source used by Tables A and B. Because all three configurations share a single data source, any update to an order in WooCommerce is immediately visible across all three table views on the next page load.

This configuration is the most permissive: it shows all orders, all columns including cost and margin data, and gives administrators full bulk action controls. Restrict access to this table tightly. Note the table ID after saving, this ID is what you use in the administrator shortcode. Because the admin table includes sensitive business data, test this configuration on a staging environment before deploying to production.

Columns

All columns from the Shop Manager config, plus:

Cost of goods fields: TableCrafter reads cost-of-goods data from the meta keys written by your cost tracking plugin. Common meta keys include _wc_cog_item_cost (WooCommerce Cost of Goods plugin) and _profit_margin. Add these as meta:_wc_cog_item_cost in the field mapper.

Bulk Actions

Enable Bulk Actions in the toolbar configuration for the admin table. Bulk actions let an administrator select multiple rows using the checkbox column and apply a single operation to all selected orders simultaneously, replacing the need to open and edit each order individually in wp-admin.

Add these bulk actions to the admin configuration:

Bulk actions are restricted to the roles listed under Roles that can edit in the Access Settings panel. A shop manager accessing this page would not see bulk action controls even if they somehow bypass the page-level access restriction, because their role is not in the administrator table's Edit Roles configuration.

Access Settings

The administrator table has the most restrictive access settings because it exposes the most sensitive data. These settings ensure that only WordPress administrators can view or interact with it, even if the page URL is discovered by other roles.

Additionally, restrict the page itself to administrators at the WordPress level using a plugin or your theme's access controls. This prevents the page HTML from loading at all for non-administrator visitors, which is better practice than relying solely on TableCrafter's output suppression for sensitive business data.

Shortcode

[tablecrafter id="7" edit="true" filter="true" search="true" export="true"]

This shortcode activates the full administrator feature set: inline editing (edit="true"), the column filter row (filter="true"), global search (search="true"), and CSV export (export="true"). Administrators can filter by any column, search across all fields, export the filtered result set including cost and margin data, and use bulk actions to update order statuses across multiple rows at once.

Place this shortcode on a WordPress page with visibility set to Private, or protect it using an administrator-only membership plugin rule. If you use a caching plugin such as WP Rocket or LiteSpeed Cache, add the admin page URL to the cache bypass list. Cached pages can serve a previous user's table output to a different visitor, which is a data leakage risk for any page containing role-restricted content.

How Does Placing All Three Shortcodes Efficiently Work?

If you want a single page that adapts based on who is viewing it, you can place all three shortcodes on the same page. TableCrafter will render each table only if the current user meets its minimum role requirement. A customer visiting the page sees Table A only. A shop manager sees Tables A and B. An admin sees all three.

This approach works but can look odd, a shop manager would see both their management table and the customer orders table. The cleaner approach is to use three separate pages and redirect users to the appropriate page based on role using a plugin like Meow Login Redirects or a small filter in functions.php.

TableCrafter re-fetches this data on each page load by default. If your data source updates infrequently and your site has significant traffic, enable the built-in caching option in the table's Performance tab. This stores the fetched data for a configurable number of minutes and serves it from WordPress transients, reducing API calls to the source and improving page load time for visitors.

How Does Column-Level Role Gating Work?

For cases where the Shop Manager and Admin views differ only in a few columns, you can use a single table config with column-level role gating instead of two separate configs:

In the column settings for a sensitive column (e.g., line_item_cost), set Minimum role to view this column to Administrator. Shop managers will see all other columns but not this one. The column does not appear in the table HTML at all for shop managers, it is not hidden by CSS.

Column-level role gating reduces the number of table configs to maintain but makes the single config more complex. For three clearly distinct views, separate configs are easier to reason about and audit.

The configuration you set here applies to every visitor who loads a page containing this table, regardless of whether they are logged in. Role-specific overrides for columns and rows are a separate layer and do not replace these global display settings. Apply global settings first, then add role restrictions as needed for tables that serve multiple user types.

How Does Security Considerations Work?

Testing the role config: Use WordPress's "Switch to User" feature (available via the User Switching plugin) to test each role's experience without logging out. Visit the pages as each role and confirm that each user sees exactly the right data and controls.

What Is Summary: Three-Role Configuration at a Glance?

Each WooCommerce role gets a separate TableCrafter table configuration with different column sets, row visibility scopes, and shortcode attributes. This table summarizes the setup described throughout this guide:

Each configuration is independent: changing the column set on the administrator table does not affect the customer table. You can also share the same underlying data source across all three configurations, which means any change to order data is reflected immediately in all three table views without any synchronization step.

Frequently Asked Questions

What Is the Three-Table Strategy?

The cleanest approach is to create three separate table configurations sharing the same WooCommerce Orders data source. Each config is tuned for one role's needs:

What Is TableCrafter?

TableCrafter is a WordPress plugin that turns data from Gravity Forms, Google Sheets, Airtable, Notion, REST APIs, CSV files, and WooCommerce into interactive, sortable, filterable frontend tables. Embed any table on any WordPress page with the [tablecrafter] shortcode or the native Gutenberg block. No PHP or custom development required. The free version supports CSV, JSON, Google Sheets, and Excel. Pro adds Gravity Forms, Airtable, Notion, WooCommerce, REST APIs, inline cell editing, export to CSV and PDF, role-based column visibility, and auto-refresh.

Does this require PHP or developer skills?

No. TableCrafter is configured entirely through the WordPress admin interface. You choose your data source, map fields to columns, and set display preferences using point-and-click controls. Embedding uses the [tablecrafter] shortcode or the native Gutenberg block.

Is the free version sufficient or do I need Pro?

The free plugin on WordPress.org supports CSV, JSON, Google Sheets, and Excel sources with unlimited tables, rows, and columns. Pro adds Gravity Forms, Airtable, Notion, WooCommerce, REST API sources, inline cell editing, bulk row actions, export to CSV and PDF, role-based column visibility, and auto-refresh every N seconds.

Ready to try it?

TableCrafter is free on WordPress.org. Pro unlocks inline editing, role-based permissions, and advanced data sources.

This configuration is saved to the WordPress database immediately. There is no draft or preview state for table settings; once you click Save, the change goes live on every page where this table is embedded via shortcode or block.

This step completes the connection between your data source and the TableCrafter table engine. Once saved, the plugin caches the connection credentials in the WordPress options table and uses them on every subsequent page load. If you update the source configuration later, for example rotating an API key or changing a sheet URL, return to this step, enter the new value, and save again. The table updates immediately on next load without any shortcode changes.