Advanced WordPress Development: Capabilities (WordCamp Philly 2011)

WordCamp Philadelphia 2011
November 5, 2011

View Slide

Andrew Nacin
Core Developer of WordPress
Tech Ninja at Audrey Capital
[email protected]
@nacin on Twitter

View Slide

Advanced WordPress
Development
@nacin

View Slide

Capabilities
and tweaking them through
unconventional means
@nacin

View Slide

What do you know?
@nacin

View Slide

Modifying Roles and
Capabilities in the DB
get_role( ), add_role( ),
add_cap( ), remove_cap( ), etc.
@nacin

View Slide

Boring, and has
drawbacks.
@nacin

View Slide

Who has heard of
current_user_can( )?
What happens when you call it?
@nacin

View Slide

current_user_can( ) :
$user = wp_get_current_user( );
return $user->has_cap( $args );
(Core functions are often simpliﬁed in this talk.)
@nacin

View Slide

What don't you know?
@nacin

View Slide

Every call goes through
very powerful ﬁlters
user_has_cap
map_meta_cap
@nacin

View Slide

Why should I care?
What can I use them for?
Let's dig in.
@nacin

View Slide

WP_User's has_cap( ) method:
$required_caps = map_meta_cap( $args );
// Multisite super admin has all caps, unless denied.
if ( is_multisite( ) && is_super_admin( $user_id ) )
return ! in_array( 'do_not_allow', $required_caps );
$caps_user_has = apply_ﬁlters( 'user_has_cap',
$caps_user_has, $required_caps, $args );
// Must have all required caps
foreach ( $caps_user_has as $cap )
if ( empty( $caps_user_has[ $cap ] ) )
return false;
return true;

View Slide


View Slide

$required_caps = map_meta_cap( $caps );
$caps_user_has = apply_ﬁlters( 'user_has_cap'
return false;
return true;

View Slide

If you can edit pages, you can edit widgets:
add_ﬁlter( 'user_has_cap', function( $caps ) {
if ( ! empty( $caps[ 'edit_pages' ] )
$caps[ 'edit_theme_options' ] = true;
return $caps;
} );

View Slide

Give secondary "administrators" less control:
add_ﬁlter( 'user_has_cap',
function( $caps, $required_caps, $args ) {
$user_id = $args[1];
$user = new WP_User( $user_id );
if ( $user->user_email !=
get_option( 'admin_email' ) )
$caps[ 'manage_options' ] = false;
return $caps;
},
10, 3 );

View Slide

Chapter 2
What's a meta capability?
@nacin

View Slide

You have standard,
primitive capabilities
@nacin

View Slide

edit_posts
— Contributors, Authors, Editors have this.
@nacin

View Slide

edit_posts
edit_published_posts
— Is the post published?
— Authors, Editors have this.
@nacin

View Slide

edit_posts
edit_private_posts
— Is the post private?
— Editors have this.
@nacin

View Slide

edit_posts
edit_private_posts
— Is the post private?
edit_others_posts
— Are you not the post author?
@nacin

View Slide

Meta caps are singular, and roles
should never be assigned them.
— edit_post, delete_post, read_post
—delete_user, edit_user
@nacin

View Slide

Meta caps are singular, and roles
should never be assigned them.
— edit_post, delete_post, read_post
—delete_user, edit_user
Primitive caps are plural, and roles
have these.
— edit_posts, edit_published_posts
—delete_users, edit_users
@nacin

View Slide

Meta caps get converted to
primitive caps based on
context.
@nacin

View Slide

If you do:
current_user_can( 'edit_post', $post_id )
meta capability ^ context ^
map_meta_cap() translates this to, e.g.:
array( 'edit_posts' )
If the post is published and not by you:
array( 'edit_published_posts',
'edit_others_posts' )
@nacin

View Slide

map_meta_cap( ) only
determines what
capabilities the user needs.
@nacin

View Slide

return false;
return true;

View Slide

Don't let anyone delete users from the UI:
// apply_ﬁlters( 'map_meta_cap', $required_caps,
$queried_cap, $user_id, $args );
add_ﬁlter( 'map_meta_cap',
function( $required_caps, $queried_cap ) {
if ( 'delete_user' == $queried_cap ||
'delete_users' == $queried_cap )
$required_caps[] = 'do_not_allow';
return $required_caps;
}, 10, 2 );

View Slide

Only administrators can delete published posts:
if ( 'delete_post' == $queried_cap )
$required_caps[] = 'manage_options';
}, 10, 2 );

View Slide

Don't allow ﬁle changes via the UI:
if ( in_array( $queried_cap, array(
'edit_themes', 'edit_plugins',
'update_themes', 'update_plugins',
'install_themes', 'install_plugins',
'update_core' ) )
$required_caps[] = 'do_not_allow';
}, 10, 2 );

View Slide

(That is built into core, by the way...)
// deny edit_themes, edit_plugins
define( 'DISALLOW_FILE_EDIT', true );
// deny all file changes
define( 'DISALLOW_FILE_MODS', true );

View Slide

Require editors to approve posts:
if ( $queried_cap == 'publish_posts' )
$required_caps[] = 'edit_others_posts';
}, 10, 2 );

View Slide

map_meta_cap( ) is an
extensive, powerful
function.
wp-includes/capabilities.php
@nacin

View Slide

// mapping for current_user_can( 'edit_post', $post_id )
case 'edit_post' :
if ( $user_id == $post_author->ID ) { // Are we the author?
if ( 'publish' == $post->post_status )
$caps[] = $post_type->cap->edit_published_posts;
else
$caps[] = $post_type->cap->edit_posts;
} else {
// The user is trying to edit someone else's post.
$caps[] = $post_type->cap->edit_others_posts;
// If the post is published, extra caps are required.
if ( 'publish' == $post->post_status )
$caps[] = $post_type->cap->edit_published_posts;
elseif ( 'private' == $post->post_status )
$caps[] = $post_type->cap->edit_private_posts;
}
. . .
return apply_ﬁlters( 'map_meta_cap', $caps, ... );

View Slide

$post_type->cap->edit_posts;
Oooh, post types.
@nacin

View Slide

Chapter 3
How can you leverage
capabilities with post types?
@nacin

View Slide

Where you are leveraging the same
*_posts capabilities:
register_post_type( 'book', array(
. . .
'capability_type' => 'post',
// Implied for 'post' and 'page' :
'map_meta_cap' => true,
. . .
);

View Slide

Where you are assigning *_books
capabilities to users:
register_post_type( 'book', array(
. . .
'capability_type' => 'book',
// Map edit_book (and read, delete)
. . .
);

View Slide

Hey, plural forms too:
register_post_type( 'story', array(
. . .
'capability_type' =>
array( 'story', 'stories' )
// Map edit_story (and read,
delete) to edit_stories, etc.
);

View Slide

Go crazy with full customizations:
register_post_type( 'article', array(
. . .
'capabilities' => array(
// primitive capabilities assigned to users
'read' => 'read',
'edit_posts' => 'edit_articles',
'publish_posts' => 'edit_articles',
// lock them down once published
'edit_published_posts' => 'do_not_allow',
'delete_posts' => 'do_not_allow',
'delete_others_posts' => 'do_not_allow',
'delete_published_posts' => 'do_not_allow',
// meta capabilities
'edit_post' => . . .

View Slide

Review
user_has_cap ﬁlter
Explicitly granting or denying users
a capability.
map_meta_cap ﬁlter
Translating a capability into the
capabilities required, depending on
the context.
@nacin

View Slide

And ﬁnally:
register_post_type( )
You can customize mapping and
capabilities when registering a post type.
map_meta_cap( )
Read it. It's worth it.
get_post_type_capabilities( )
Read the documentation in
wp-includes/post.php.
@nacin

View Slide

Thanks! Questions?
@nacin

View Slide

Advanced WordPress Development: Capabilities (WordCamp Philly 2011)

Advanced WordPress Development: Capabilities (WordCamp Philly 2011)

nacin

Other Decks in Technology

Featured

Transcript