[wp-hackers] Avoiding user profile editing to non administrators

Luke Poland luke at thunderlounge.com
Mon Dec 18 12:56:07 GMT 2006


Or, add the current_user_can check in front of the profile link
in the top right, the main users tab, and check the same in
wp-login.php and redirect them to the main site from the
login. Unless there's additional options they can play with
back there, why let them in at all?

Of course a check in profile.php too, so it can't be loaded
directly.

No links, no error messages.    :D



-- Luke




Viper007Bond wrote:
> Er, ha, that's what you said (didn't read to the end).
>
> Yes, that'd probably be the best way (check the script), although this 
> is a
> better/easier test:
>
> if ( 'profile.php' == basename($_SERVER['SCRIPT_NAME'])  &&
> !current_user_can('edit_users') ) die('Sorry, you aren't allowed to edit
> your own profile.');
>
> Although a prettier error message would probably be better. ;)
>



More information about the wp-hackers mailing list