[wp-hackers] What does user_can really check?
Kevin Newman
CaptainN at unFocus.com
Wed Nov 23 18:15:43 UTC 2011
"Roles" (as a set of caps - pretty standard stuff in granular
permissions systems) are used too widely in the WordPress admin to be
deprecated. User levels have been deprecated (and rightly so) but roles
have not been. The codex makes this pretty clear - roles are NOT
deprecated: http://codex.wordpress.org/Roles_and_Capabilities
Anyway, all I really need to know is, if I take a subscriber (as a
shorthand for checking the user has ONLY "read" cap), and give them an
additional cap, will that change their role to something other than
subscriber, or does the role have to be specifically changed? That's the
question.
To make this clearer in the API, I would suggest a user_is method be
added to core, as a way to check for a specific role, rather than
overloading the user_can method (incorrectly) the way it is now.
Incorrectly because "user_can" - "do what subscriber can do" - it should
return true for admins, contribs, etc. when you check for "subscriber"
caps - but now it returns false.
Kevin N.
On 11/22/11 11:36 PM, Dion Hulse (dd32) wrote:
> current_user_can('subscriber') || user_can( $user_id, 'subscriber')
> works due to the capability system including the Roll Slug as a user
> capability. AFAIK, this is done for backwards compatibility with code
> such as yours.
More information about the wp-hackers
mailing list