[wp-hackers] What does user_can really check?

Andrew Nacin wp at andrewnacin.com
Thu Dec 1 18:16:22 UTC 2011


On Fri, Nov 25, 2011 at 8:11 AM, 24/7 <24-7 at gmx.net> wrote:

> One thing that was left out in this discussion: "granting" capabilities (I
> just ran into this): If you add a capability to a user or a role, you have
> the possibility to allow the access to it or not.
>
> Consider the following:
>
> $roles = $GLOBALS['wp_roles']->roles; // get all roles
> $role_admin = $roles['administrator'];
> $role_subscriber = $roles['subscriber'];
>

Use get_role( 'administrator' ) rather than accessing the object directly.
If you want all roles, get_editable_roles() is a good start.

>
> // Now let's check this:
> $role_admin->has_cap( 'read_hackers' );
> $role_subscriber->add_cap( 'read_hackers' );
> // result: Both returned true.
>

No, that's not right. grant => false works just fine for me.

$role = get_role( 'administrator' );
var_dump( $role->has_cap( 'read_hackers' ) ); // false
$role->add_cap( 'read_hackers', false );
var_dump( $role->has_cap( 'read_hackers' ) ); // false
$role->add_cap( 'read_hackers', true );
var_dump( $role->has_cap( 'read_hackers' ) ); // true


> // If we want to check this, we need to access the object directly
> $role_admin_access = $role_admin['read_hackers'] ? true : false; // false
> $role_subscriber_access = $role_admin['read_hackers'] ? true : false; //
> true
>

Please don't reach underneath the API to do things. This is how plugins
break. :-)

Nacin


More information about the wp-hackers mailing list