[wp-hackers] User Capabilities

[Owen Winkler]

Jason Bainbridge wrote:
> Obviously both Admin and Editor have edit_others_posts as part of
> their role but the current permissions look for posts made by users of
> the same level or below so should this be changed just to check for
> Admin or Editor? Should Editor be able to edit posts by Admin?

No, this resolves to the general capability 'edit_posts'.  Just remember 
to pass the post ID as a second parameter to the current_user_can() 
function, like:

current_user_can('edit_posts', $post_id)

The map_meta_cap() function figures out what additional capabilities the 
current user needs based on the passed-in ID.

So to answer your last couple of questions, the Role of the user is 
irrelevant to the check.  Just check for the 'edit_posts' capability.

If the "Editor" has 'edit_others_posts', then obviously he can edit 
other's posts - yes, including those with the Role "Administrator", 
which is an arbitrary name assigned to a type of user with a certain 
list of capabilities.  The Role system makes no distinction of one role 
being more powerful than another.

On the other hand, we need to put a plugin hook in map_meta_caps() so 
that plugins can define additional capability requirements per post-ID, 
so that you can do things like protecting the posts of certain users 
from editing by other users that do have 'edit_others_posts'.  Or even 
crazy things like limiting editing permissions based on postmeta, which 
sounds like a cool thing to me.

Owen