[wp-hackers] current_user_can() and roles ?

Otto otto at ottodestruct.com
Wed Jan 6 19:25:00 UTC 2010

Capabilities never really change. New ones might be added, but it's
unlikely that old ones will ever fully go away.

So you really need to check actual capabilities based on what they're
doing. If they're trying to change the plugin options, then you'd
check "edit_options". And so on. That's the whole point of the
role/capabilities system.

I mean, what if I created a new role, called "superman", and gave them
a bunch of capabilities? Your plugin would suddenly not work.

Roles are *arbitrary*, you cannot rely on them existing. Capabilities
are not arbitrary, they're hardcoded right into the core. New ones can
be added for various purposes, but the existing ones ain't going


On Wed, Jan 6, 2010 at 1:05 PM, Frank Bueltge <frank at bueltge.de> wrote:
> Thanks for your reply; i see this also! A in my plugin give the user
> the rights on the option-field to the user-role, no own capabilitie. I
> will only check, the loged in users have min. the role. I will not
> check for a capabilies. Now i must check a capabilitie from this cole
> and this is extra code and maybe dosnt work in feature when change WP
> this capabilitie.

More information about the wp-hackers mailing list