[wp-hackers] What does user_can really check?
Dion Hulse (dd32)
wordpress at dd32.id.au
Sat Dec 3 01:31:18 UTC 2011
On 3 December 2011 03:57, 24/7 <24-7 at gmx.net> wrote:
>> Please don't reach underneath the API to do things. This is how
> plugins break. :-)
>
> Just trying to get around how it's supposed to work :) Btw: Using GLOBALS
> instead of global to _not_ modify any global.
>
> The Q I was bringing up was simply: has_cap() doesn't check for $grant.
WP_User::has_cap() checks for $grant, It does this by the following code:
foreach ( (array) $caps as $cap ) {
if ( empty( $capabilities[ $cap ] ) )
return false;
}
return true;
If it's false, it'll return as empty.
WP_Role::has_cap() is the same, It checks $grant through this code:
if ( !empty( $capabilities[$cap] ) )
return $capabilities[$cap];
else
return false;
Ie. If the value within the cap is something non-empty, it's true, it
has the cap. If it's emtpy-ish value ( not set, boolean false, 0,
empty string, etc) it's false, it doesn't have the cap.
If you are running any kind of plugin that alters what users can/can't
do (such as the members plugin, role scoper, and a handful of others
i'd rather not remember the names of) then your code will likely not
work due to the plugin intercepting and going "Hey, I never authorized
that!"
More information about the wp-hackers
mailing list