[wp-hackers] Developer portal
Ravi Narayan Sarma
ravi-lists at g8o.net
Thu Dec 24 01:10:39 UTC 2009
Another one from current experience: I am writing a plugin to extend comment administration to let the user mark a comment as [todo], [replied], [ignore]. In the AJAX handler I want to first check that the caller has the permissions to do this (I think ‘edit_posts’ is what I should be checking for, but please let me know). I asked the Googles (search terms like: "wordpress function to check user rights or permissions” and shorter or more generic versions of this string). Searching through the Codex didn’t find anything either.
Somewhere in depths of the Roles and Capabilities Codex page or in the WP sources (I forget which came first), I found a reference to “current_user_can()”. This is what I think I should be using. But in my admittedly inexpert searching through the Codex I could neither find anything listing or description of this function. Nor does a Google search yield much apart from the xref. If indeed I have not missed something staring me in the eye (which is quite possible), then I think this is an example of one of the issues facing plugin/theme developers.
Additionally, given the significance of security, should there be a Codex page dedicated to educating plugin/theme developers of the kids of security lapses they could easily create and what steps to keep in mind to avoid them?
2 more cents,
More information about the wp-hackers