[wp-hackers] What does user_can really check?
24-7 at gmx.net
Fri Nov 25 13:11:59 UTC 2011
One thing that was left out in this discussion: "granting" capabilities (I
just ran into this): If you add a capability to a user or a role, you have
the possibility to allow the access to it or not.
Consider the following:
$roles = $GLOBALS['wp_roles']->roles; // get all roles
$role_admin = $roles['administrator'];
$role_subscriber = $roles['subscriber'];
// Now add a capability and grant or deny the access
// role_object->add_cap( 'cap_name', (bool) $grant );
$role_admin->add_cap( 'read_hackers', false );
$role_subscriber->add_cap( 'read_hackers', true );
// Here we got the situation that admins and subscribers both have the cap
// Now let's check this:
$role_admin->has_cap( 'read_hackers' );
$role_subscriber->add_cap( 'read_hackers' );
// result: Both returned true.
// If we want to check this, we need to access the object directly
$role_admin_access = $role_admin['read_hackers'] ? true : false; // false
$role_subscriber_access = $role_admin['read_hackers'] ? true : false; //
The problem is that the "grant" check is simply missing in the API. The
same goes for functions that change the grant/deny value. It would be nice
and interesting to have this, as it would allow us to give access to
certain roles, but blacklist/whitelist specific users.
Sry for beeing slightly off topic, but I think this should be mentioned in
More information about the wp-hackers