Developers English WordPress Plugin

Listing Co-Owners for Listeo: Developer Guide

Developer notes for safe overrides, permissions, data ownership, UI integration, testing, and support workflows.

Listing Co-Owners for Listeo Version 1.2 13 min read Updated Jun 30, 2026
Security boundary

Do not bypass license-gated initialization, override license classes, fake license status, replace updater callbacks, or remove account/domain checks. Developer customization starts after the plugin has been legitimately activated and initialized.

Scope

This guide is for developers extending Listing Co-Owners for Listeo in a child theme, site plugin, or mu-plugin. Every customization must preserve server-side authorization, nonces, ownership checks, and listing boundaries.

Important files

FileResponsibility
listing-co-owners-for-listeo.phpBootstrap, constants, activation defaults, Listeo detection, class loading, update hooks.
includes/class-lcol-capabilities.phpCapability registry, presets, labels, groups, invite exclusions, form section mapping.
includes/class-lcol-permissions.phpCentral permission checks, Listeo edit checks, dashboard actions, reviews, form filtering.
includes/class-lcol-team.phpPer-listing team storage and member add/update/remove operations.
includes/class-lcol-invites.phpInvite table, invite creation, email delivery, accept-link flow.
includes/class-lcol-query.phpExpands My Listings, reviews, and bookings/calendar queries for assigned users.
includes/class-lcol-ajax.phpTeam panel, invites, member changes, user search, admin saves.
templates/frontend-team-panel.phpAJAX-rendered team management panel.

Storage

  • _lcol_team: current team data structure.
  • _lcol_assigned_owners: legacy assigned owners meta kept in sync.
  • _lcol_created_by: creator fallback permissions.
  • wp_lcol_invites: invite table with listing ID, email, role, permissions JSON, token, inviter, status, and timestamps.

Permission model

Use LCOL_Permissions::user_can($listing_id, $cap, $user_id) as the central check. Administrators with manage_options pass. Primary owners receive the primary owner capability set. Team members receive capabilities from their stored role and permissions.

Supported filters

FilterUse
lcol_capabilitiesAdd or adjust capability metadata. Add enforcement wherever the new capability is used.
lcol_capability_presetsChange manager/editor/support/custom presets.
lcol_capability_group_labelsChange permission group labels.
lcol_capability_group_descriptionsChange group help text.
lcol_invite_excluded_capsHide sensitive capabilities from the invite UI.
lcol_submit_section_permission_mapMap Listeo submit form sections to co-owner capabilities.
lcol_user_canFinal permission decision filter. Keep listing/user context.
lcol_assigned_listing_ids_for_userAdjust listing IDs considered assigned to a user.
lcol_is_dashboard_contextLoad front-end modal/assets on a custom dashboard page.

Safe overrides

Hide wallet access from invite screens:

add_filter('lcol_invite_excluded_caps', function (array $excluded): array {
    $excluded[] = 'wallet';
    return array_values(array_unique($excluded));
});

Add a conservative content-only preset:

add_filter('lcol_capability_presets', function (array $presets): array {
    $presets['content_assistant'] = [
        'label' => 'Content Assistant',
        'description' => 'Can update listing content and images only.',
        'permissions' => ['view_dashboard', 'edit_description', 'manage_images'],
    ];

    return $presets;
});

Allow assets on a custom dashboard page:

add_filter('lcol_is_dashboard_context', function (bool $is_context): bool {
    return $is_context || is_page('partner-dashboard');
});

AJAX actions

Front-end team operations use lcol_team_nonce; admin search/save operations use lcol_admin_nonce. Do not call these actions from public unauthenticated scripts.

  • lcol_get_team_panel
  • lcol_send_invite
  • lcol_cancel_invite
  • lcol_remove_member
  • lcol_update_member
  • lcol_search_users
  • lcol_save_listing_owners

Regression checklist

  1. Primary owner can manage the listing and team.
  2. Co-owner can see only assigned listings.
  3. Co-owner can edit only sections allowed by their capabilities.
  4. Co-owner cannot edit unrelated listings by changing request IDs.
  5. Removed co-owner immediately loses listing access.
  6. Pending, accepted, expired, and cancelled invites behave correctly.
  7. Bookings, reviews, messages, wallet, renew, and delete permissions are tested independently.
  8. Admin metabox saves keep _lcol_team and _lcol_assigned_owners synchronized.

Do not customize here

  • License activation or update authorization code.
  • License-gated class initialization.
  • Nonce or capability checks inside AJAX handlers.
  • Permission results that grant access without checking the specific listing ID and user ID.
  • Direct writes to _lcol_team that bypass LCOL_Team.
  • SQL or query filters that show private/unassigned listings to co-owners.