[wp-hackers] User Roles & Capabilities - How come add and edit aren't separate?

Michael D Adams mda at blogwaffe.com
Mon Aug 30 04:36:11 UTC 2010 

On Sun, Aug 29, 2010 at 5:30 PM, Andrew Nacin <wp at andrewnacin.com> wrote:
> On Sun, Aug 29, 2010 at 7:22 PM, ErisDS <erisds at gmail.com> wrote:
>
>> Hopefully this is a quick question: does anyone know why the capabilities
>> aren't divided into edit_posts and add_posts or edit_pages and add_pages?
>> The capability "edit_posts"/"edit_pages" also permits a user to add new
>> ones. Is it not a reasonable use case that users should be able to add but
>> not edit, or edit but not add?

Can you explain your use case more?  Is this edit-only user only
editing other people's posts? Editing only her posts that someone else
writes but assigns to her?  Editing both others' posts and his posts?

> I've worked around this by literally denying access to specific screens
> based on the $current_screen object, $pagenow, etc., according to specific
> use cases. The distinction isn't too useful for regular post types but I've
> seen some custom post type use cases where it makes some sense.

That's the best way I can think of too, but it takes a lot of
whitelisting (QuickPress, PressThis, ...) and it doesn't help with
XML-RPC or APP calls.  I think you'd also need to hook on some
pre-save filter.

> It's also tough to decide how it would be handled. When do we make the
> switch from requiring add_posts to requiring edit_posts? Someone with only
> add_posts will find themselves suddenly losing their post on save, or
> publish? Or can they always see it? (In order to see it, they'll need
> edit_posts to see that screen, right?) The converse is probably also easier
> -- someone having the ability to edit_posts but not add_posts... But at that
> point, they can't edit anything unless assigned to them, because they don't
> have the capabilities to edit others' posts.
>
> It seems like a sensible breakdown but then the implementation gets very
> foggy.

edit_posts means "create posts and edit posts I wrote that are not yet
published".

WP implements something like a user with "add_posts" but without
"edit_posts": contributors are users without edit_published_posts.
It's not quite the same, but it's one practical way to answer your
questions above.

To implement a user with edit_posts but without "add_posts", it might
be possible to strip a user's edit_posts but give him/her
edit_others_posts, edit_published_posts, and edit_private_posts as
appropriate.  You'd have do this stripping dynamically, though, since
menus (in core and in plugins) use edit_posts to control access to
various screens.

Mike
--mdawaffe

More information about the wp-hackers mailing list