[wp-trac] [WordPress Trac] #36376: current_user_can/has_cap fails when user has multiple roles

WordPress Trac noreply at wordpress.org
Tue Dec 5 01:55:43 UTC 2017 

#36376: current_user_can/has_cap fails when user has multiple roles
-----------------------------------------+-----------------------
 Reporter:  mikejolley                   |       Owner:  dd32
     Type:  defect (bug)                 |      Status:  accepted
 Priority:  normal                       |   Milestone:  5.0
Component:  Role/Capability              |     Version:
 Severity:  normal                       |  Resolution:
 Keywords:  has-unit-tests dev-feedback  |     Focuses:
-----------------------------------------+-----------------------

Comment (by dd32):

 Replying to [comment:12 dd32]:
 > Replying to [comment:11 knutsp]:
 > > Explicitly setting a capability to false (denied) should take
 precedence, even over later added roles or explicit capabilities, since
 this is a special and more rare case. The lack of a capability is normal
 way of not giving that capability.
 >
 > I agree with this, lets make this happen.

 Actually, mostly. I think an explicit capability should take precedence
 over a role - but then the more I think about it, the more this is so
 ambiguous.

 - `Bob` has a role of `editor` but a role of
 `denied_publish_capabilities`. Should bob be able to post? IMHO: No
 - `Alice` has a role of `contributor` but a role of `allowed_to_publish`.
 Should alice be able to post? IMHO: Yes
 - `John` has a role of `editor`, a role of `denied_publish_capabilities`
 AND `allowed_to_publish`. Should John be able to post? IMHO: Maybe.
 Implementation detail.

 The scenario is an organisation where all editors are by default given
 `denied_publish_capabilities` and later given the `allowed_to_publish`
 role.

 Then capabilities directly:
  - `Bob` is given the role of `editor`, but then denied the right to
 publish through `publish_posts => false`. Should bob be able to post?
 IMHO: No
  - `Alice` is given the role of `contributor`, but then allowed to publish
 through `publish_posts => true`. Should alice be able to post? IMHO: Yes
  - `John` is given the role of `editor`, a role of
 `denied_publish_capabilities`, but then allowed to publish through
 `publish_posts => true`. Should John be able to post? IMHO: Yes.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36376#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list