[wp-trac] [WordPress Trac] #36368: Add capability for `admin_access`

WordPress Trac noreply at wordpress.org
Tue Mar 29 14:35:05 UTC 2016 

#36368: Add capability for `admin_access`
-----------------------------+------------------------------
 Reporter:  krogsgard        |       Owner:
     Type:  feature request  |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Users            |     Version:
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:  administration
-----------------------------+------------------------------

Comment (by krogsgard):

 @ocean90 Good point I didn't address. So... both `read` and `edit_posts`
 could otherwise seem like logical capability checks.

 I understand that `read` is technically for administrative access, but its
 other inconvenience is that it's the only capability for subscribers,
 therefore making it scary territory for ''actually'' checking for such a
 thing -- because who knows how folks are using it. I can imagine all sorts
 of stuff that has nothing to do with admin access that developers could be
 using the only cap made available to all users for.

 This came about because I was having an issue where WooCommerce customers
 who were also authors/editors lost admin access, and it turns out to be
 from some multi-role issues and various capability checking. Sidenote:
 customer and subscribers look a lot alike, capability wise. (Double
 sidenote, here's the
 [https://github.com/woothemes/woocommerce/blob/848bfe768f154ea2edb6ae8d0a1d0942c386e154/includes/admin
 /class-wc-admin.php#L119 goofiness they use] to lock down the admin... I
 assume they have reasoning for not just altering read access? Pretty smart
 folks there.)

 When plugins may be using some of those same capability checks for other
 things (I dunno? front end account editing, maybe?) it makes it a bit
 scary to start turning off `read` access from WP itself because that's the
 only capability available.

 A second, more explicit capability would be nice in this case... hence
 `admin_access` -- not to mention the less confusing name than "read" :)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36368#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list