[wp-hackers] Avoiding user profile editing to non administrators
Luke Poland
luke at thunderlounge.com
Mon Dec 18 12:56:07 GMT 2006
Or, add the current_user_can check in front of the profile link
in the top right, the main users tab, and check the same in
wp-login.php and redirect them to the main site from the
login. Unless there's additional options they can play with
back there, why let them in at all?
Of course a check in profile.php too, so it can't be loaded
directly.
No links, no error messages. :D
-- Luke
Viper007Bond wrote:
> Er, ha, that's what you said (didn't read to the end).
>
> Yes, that'd probably be the best way (check the script), although this
> is a
> better/easier test:
>
> if ( 'profile.php' == basename($_SERVER['SCRIPT_NAME']) &&
> !current_user_can('edit_users') ) die('Sorry, you aren't allowed to edit
> your own profile.');
>
> Although a prettier error message would probably be better. ;)
>
More information about the wp-hackers
mailing list