Now is your last chance to buy a lifetime license before we switch to annual pricing. Existing licenses will be unaffected.
read more
docs PHP, CSS & JS

Client Control

Oxygen 3.6 introduces a new "Client Control" tab under Oxygen -> Settings in the WordPress admin panel. There, you'll find that we've consolidated the Role Manager and Post Type manager into this tab.

Role Manager

By default, access to Oxygen is only available to administrators. Access to Oxygen can be granted to other user roles at Oxygen -> Settings -> Client Control -> Role Manager in the WordPress admin area.

Oxygen's role manager works with the WordPress default user roles, any additional user roles added by custom code, and any additional user roles added by 3rd party plugins such as User Role Editor.

Access Levels

Note: Edit Mode will only be available on sites activated with an Oxygen Agency license.

Note that while Code Blocks are visually restricted in Edit Only mode, a malicious user could still execute arbitrary PHP code if they have access to Oxygen, so DO NOT GRANT OXYGEN ACCESS TO UNTRUSTED USERS.

In the access level dropdown for roles & users, you'll find Full Access, No Access, and Edit Only options.

Full Access will grant the given role or user complete, unrestricted access to Oxygen.

No Access will restrict the given role or user from accessing Oxygen at all, including all admin settings pages.

When Edit Only is chosen for a role or user, several restrictions are imposed for that role or user:

  • The Oxygen meta box is hidden. Instead, you'll find an Oxygen icon button in Gutenberg or a blue "Edit with Oxygen" button at the top of post edit screens using the Classic Editor.
  • The "Oxygen" admin menu is replaced with a single "Templates" link.
  • The Manage button in the builder is hidden. Edit Only users cannot access global settings, stylesheets, or selectors.
  • The +Add button is hidden.
  • The Conditions, Link, Duplicate, and Delete icons in the Properties Pane are hidden.
  • The add class button in the Selector Dropdown is hidden.
  • The copy, clear, and delete icons in the Selector Dropdown are hidden.
  • The Advanced tab in the Properties Pane is hidden.
  • Code Blocks cannot be clicked or edited, but the code will still be executed.
  • In the Structure Pane, the hamburger menu for elements is hidden.
  • In the Structure Pane, the delete icon for elements is hidden.
  • Drag & drop is disabled.

These restrictions make it safer to let a client into Oxygen as they can only change styling and content. There's limited access to code, global styles or settings, deletion, or re-arranging of elements. Note that while Code Blocks are visually restricted in Edit Only mode, a malicious user could still execute arbitrary code if they have access to Oxygen, so DO NOT GRANT OXYGEN ACCESS TO UNTRUSTED USERS.

This, however, may be far too restrictive for some cases, so we've added some granular controls that appear once you've chosen "Edit Only" access for a role or user:

Enable Elements: Allows role/user access to insert, duplicate, and delete specified elements.

Enable Advanced Tab: Allows role/user to use the Advanced Tab in the Properties Pane. All Custom CSS and JavaScript tabs will still be hidden.

Enable Drag & Drop: Allows role/user to drag and drop elements in the builder.

Enable Reusable Parts: Allows role/user to add Reusable Parts.

Enable Design Library: Allows role/user to add elements from the Design Library.

Disable Classes: Prevents role/user from being able to modify a class that has been applied to an element.

In addition to these restrictions, you can also lock roles/users with Edit Only access completely out of Oxygen on specific posts using the new "Lock Post In Edit Mode" checkbox in the Oxygen meta box. This does not restrict the role/user's ability to access the WordPress editor for that post.

Per User Access

In addition to the Role Manager and Post Type manager controls, you'll also find a "Per User Access" control section that allows you to define access on a per-user basis. Settings defined here will override role-based settings for a given user.

Post Type Manager

By default, Oxygen's metabox appears on the Edit screens for all post types.

You can hide the Oxygen metabox from post types where you do not need it via Oxygen -> Settings -> Client Control -> Post Type Manager in the WordPress admin area.


Access to Oxygen should only be granted to trusted users. This is because Oxygen provides the ability to execute arbitrary PHP code, so any user granted access to Oxygen could execute code to do literally anything to your site. Do not grant ANY LEVEL of Oxygen access to untrusted users.

Last modified: March 11, 2024
Copyright © 2024 Soflyy
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram