[wp-hackers] User Capabilities
ringmaster at midnightcircus.com
Sun Jul 17 22:54:35 GMT 2005
Jason Bainbridge wrote:
> Obviously both Admin and Editor have edit_others_posts as part of
> their role but the current permissions look for posts made by users of
> the same level or below so should this be changed just to check for
> Admin or Editor? Should Editor be able to edit posts by Admin?
No, this resolves to the general capability 'edit_posts'. Just remember
to pass the post ID as a second parameter to the current_user_can()
The map_meta_cap() function figures out what additional capabilities the
current user needs based on the passed-in ID.
So to answer your last couple of questions, the Role of the user is
irrelevant to the check. Just check for the 'edit_posts' capability.
If the "Editor" has 'edit_others_posts', then obviously he can edit
other's posts - yes, including those with the Role "Administrator",
which is an arbitrary name assigned to a type of user with a certain
list of capabilities. The Role system makes no distinction of one role
being more powerful than another.
On the other hand, we need to put a plugin hook in map_meta_caps() so
that plugins can define additional capability requirements per post-ID,
so that you can do things like protecting the posts of certain users
from editing by other users that do have 'edit_others_posts'. Or even
crazy things like limiting editing permissions based on postmeta, which
sounds like a cool thing to me.
More information about the wp-hackers