A Deep Dive into the Roles and Capabilities API

by John Blackbourn

Slide 1

Slide 1 text

A deep dive into The User Roles and Capabilities API

Slide 2

Slide 2 text

WordPress core developer Working with WordPress for 12+ years Senior Engineer at Human Made John Blackbourn @johnbillion

Slide 3

Slide 3 text

User Roles •Administrator •Editor •Author •Contributor •Subscriber • {Super Admin} • {No role}

Slide 4

Slide 4 text

No Role

Slide 5

Slide 5 text

Roles Aren’t Hierarchical

Slide 6

Slide 6 text

Roles, Capabilities, and Responsibilities

Slide 7

Slide 7 text

• Administrator • Editor • Author • Contributor • Subscriber Administer the site Edit all content Edit their own content Contribute proposals Nothing Role Responsibility

Slide 8

Slide 8 text

• Administrator • Editor • Author • Contributor • Subscriber Multiple Roles }Doesn’t make much sense

Slide 9

Slide 9 text

• Comment Moderator • Employee Manager Multiple Roles } Two distinct responsibilities

Slide 10

Slide 10 text

Roles and Responsibilities in bbPress • Keymaster • Moderator • Participant • Spectator Manage the forums Moderate discussion Participate in discussion Follow topics

Slide 11

Slide 11 text

• Author • Forum Moderator Multiple Roles with bbPress } Now we’re talking

Slide 12

Slide 12 text

Multiple Roles with bbPress

Slide 13

Slide 13 text

Multiple Roles with ‘Members’

Slide 14

Slide 14 text

Roles, Capabilities, and Responsibilities

Slide 15

Slide 15 text

User Capability Checks current_user_can( 'edit_posts' ) current_user_can( 'manage_options' ) current_user_can( 'upload_files' ) user_can( $user_id, 'delete_users' )

Slide 16

Slide 16 text

User Capability Checks current_user_can( 'administrator' ) current_user_can( 'administrator' ) current_user_can( 'create_users' )

Slide 17

Slide 17 text

Back In The Day level_10 level_9 level_8 level_7 level_6 level_5 level_4 level_3 level_2 level_1 level_0

Slide 18

Slide 18 text

Meta & Primitive Capabilities current_user_can( 'edit_post', $post_id )

Slide 19

Slide 19 text

map_meta_cap() Handles the mapping from meta capabilities to primitive capabilities edit_post edit_others_posts

Slide 20

Slide 20 text

$post = get_post( $post_id ); if ( ! $post ) { // If the post doesn't exist... $caps[] = 'do_not_allow'; break; } current_user_can( 'edit_post', $post_id )

Slide 21

Slide 21 text

if ( $user_id == $post->post_author ) { if ( $post->post_status == 'publish' ) { // If the post is published... $caps[] = 'edit_published_posts'; } else { // If the post is draft... $caps[] = 'edit_posts'; } } current_user_can( 'edit_post', $post_id )

Slide 22

Slide 22 text

} else { // Trying to edit someone else's post... $caps[] = 'edit_others_posts'; // The post is published... if ( $post->post_status == 'publish' ) { $caps[] = 'edit_published_posts'; } elseif ( 'private' == $post->post_status ) { $caps[] = 'edit_private_posts'; } current_user_can( 'edit_post', $post_id )

Slide 23

Slide 23 text

Meta & Primitive Capabilities // Another user's published post: current_user_can( 'edit_post', $post_id ) > edit_published_posts > edit_others_posts // My own draft post: current_user_can( 'edit_post', $post_id ) > edit_posts

Slide 24

Slide 24 text

case 'delete_user': // Only super admins can delete users. if ( is_multisite() && ! is_super_admin( $user_id ) ) $caps[] = 'do_not_allow'; else $caps[] = 'delete_users'; break; current_user_can( 'delete_user', $id )

Slide 25

Slide 25 text

map_meta_cap() Handles the mapping from meta capabilities to primitive capabilities edit_post edit_others_posts

Slide 26

Slide 26 text

apply_filters( 'map_meta_cap', $caps, $cap, $user_id, $args ); map_meta_cap edit_post 456 edit_others_posts edit_published_posts 123

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

function foo( $required_caps, $cap, $user_id, $args ) { if ( 'upload_files' == $cap ) { // If user can edit posts, allow to upload files: $required_caps = array( 'edit_posts' ); } return $required_caps; } add_filter( 'map_meta_cap', 'foo', 10, 4 );

Slide 30

Slide 30 text

map_meta_cap Use this ﬁlter to alter the required primitive caps for a cap check

Slide 31

Slide 31 text

user_has_cap apply_filters( 'user_has_cap', $caps, $required_caps, $args ); edit_others_posts 123 edit_posts edit_post_tags moderate_comments ...

Slide 32

Slide 32 text

// Check authentication: if ( current_user_can( 'switch_to_user', $user_id ) ) { // Switch user... }

Slide 33

Slide 33 text

function foo( $user_caps, $required_caps, $args ) { if ( 'switch_to_user' === $args[0] ) { $user_caps['switch_to_user'] = ( user_can( $args[1], 'edit_user', $args[2] ) && $args[2] != $args[1] ); } return $user_caps; } add_filter( 'user_has_cap', 'foo', 10, 3 );

Slide 34

Slide 34 text

map_meta_cap Use this ﬁlter to alter the required primitive caps for a cap check. user_has_cap Use this ﬁlter to grant or deny the actual caps of a user.

Slide 35

Slide 35 text

Recap • Roles • Responsibilities • Capabilities • map_meta_cap • user_has_cap • Trivia

Slide 36

Slide 36 text

Non-Logged-In Users current_user_can( 'do', 'something' ) // This always returns true: current_user_can( 'exist' ) // You need this too: is_user_logged_in()

Slide 37

Slide 37 text

More Granular Meta Caps in Core current_user_can( 'edit_user', $user ) current_user_can( 'delete_post', $post ) // Coming soon (hopefully): current_user_can( 'edit_theme', $theme ) current_user_can( 'activate_plugin', $plugin ) current_user_can( 'delete_site', $site )

Slide 38

Slide 38 text

Core's Capability Tests Tests_User_Capabilities 'upload_plugins' => array( 'administrator' ), 'upload_themes' => array( 'administrator' ), 'customize' => array( 'administrator' ), 'add_users' => array( 'administrator' ), 'edit_categories' => array( 'administrator', 'editor' ), 'delete_categories' => array( 'administrator', 'editor' ), 'manage_post_tags' => array( 'administrator', 'editor' ), 'edit_post_tags' => array( 'administrator', 'editor' ), 'delete_post_tags' => array( 'administrator', 'editor' ), 'edit_css' => array( 'administrator', 'editor' ), 'assign_categories' => array( 'administrator', 'editor', 'author', 'contributor' ), 'assign_post_tags' => array( 'administrator', 'editor', 'author', 'contributor' ),

Slide 39

Slide 39 text

Questions? John Blackbourn @johnbillion