[wp-hackers] User Capabilities

Ryan Boren ryan at boren.nu
Fri Jul 1 15:52:17 GMT 2005

On Fri, 2005-07-01 at 11:37 -0400, Owen Winkler wrote:
> Ryan Boren wrote:
> > A more useful and understandable model would be to limit roles to
> > categories.  A user would have a role and a list of categories to which
> > that role's post edit/create/publish capabilities would apply.  A
> > Managing Editor, for example, would have capabilities on all categories,
> > whereas a Copy Editor might have capabilities on only one or two
> > categories.  So, a Managing Editor could edit any user's posts and a
> > Copy Editor could edit other users' posts only within a set of
> > categories.
> Are category permissions something you would consider for the core? 
> Some sites don't use categories, and with the recent focus on 
> keywords/tags, this might become more prevalent.  Of course, using 
> categories this way might shift thinking toward using categories 
> primarily for security, and keyword plugins instead of traditional 
> categories.

Categories for such sites could strictly be a workflow device.
Personally, I say forget about per-category capabilities and keep it
simple.  I offered per-category capabilities as a compromise for those
wanting to maintain some sort of capability partitioning.

> What are your thoughts on plugin access to these permissions?  Will the 
> permission structure allow for:
> if( apply_filters('perm_edit_posts', current_user_can('edit_posts'), 
> $post->ID) ) {...}
> Or will filters only be applied in advance?  The difference being that 
> filters applied as above might allow plugins to grant/deny editing 
> permissions to individual posts based on custom criteria, whereas a 
> up-front filter would not.
> Just a thought.

I'd like plugins to have all of the information available to
WP_User::has_cap() including post ids and any additional information
passed along.  So, we should probably apply the filter in has_cap().  We
should pass a reference to the user object along with the other args so
that the ID and user data is available to the plugin.


More information about the wp-hackers mailing list