[wp-hackers] User roles - GSOC proposal

Eric Mann eric at eamann.com
Wed Mar 31 17:19:30 UTC 2010

The idea of having one preconfigured "role" as an all-access administrator
and then assigning capabilities on a per-user basis is, in my opinion, what
would work best in the majority of cases.  The sites I've worked on in the
past fit one of two types:

1 - Blogs which allow comments but not registration.  There is one author
(with unlimited access) and all other "users" are unauthenticated commentors
that are identified by their email address.  They don't even appear in the
user system.

2 - CMS-type sites that allow limited registration but no comments (think
front-end website and back-end pseudo-intranet).  There is one superadmin
and every individual has a different role with custom capabilities ... none
of the pre-defined "subscriber" "contributor" etc roles make sense in this
case and end up being deleted in favor of "intern" "project manager" etc.

The outside case is where people use user roles to identify affiliate sales.
My RegLevel plugin allows for custom user roles to be assigned from
different registration pages, and people use this to create "roles" like
"Sales from Frank" that are identical to "subscriber" merely as a way to
segregate new users and better track sales.

In reality, though, "roles" don't have much meaning when you are talking
about a platform that powers both blogs and CMS.  What we're talking about
is a way to easily apply capabilities on registration ... so perhaps 1
pre-configured "role" for the super administrator.  Then rather than asking
which "role" to assign to new registrations, allow the user to specific
which capabilities to assign to new registrations.  You'd still have the
same end effect.

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of kaiiser
Sent: Wednesday, March 31, 2010 10:02 AM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] User roles - GSOC proposal

> I do see why you want to go this route but I'd like to propose you
consider and 3rd solution:

> Implement it the way you are thinking for performance but make it appear
in the admin that there are distinct roles.  Allow some roles to be
*defined* roles and others to be *derived* roles.

> For example, let's assume we have ContentEditor and FilesModerator roles;
both would be *defined* by the admin.  In the UI the admin could assign both
roles to a user but behind the scenes a *derived* role of
"ContentEditor-FilesModerator" would be created using the combination of the
two roles (though this role would never be shown > to the admin or to
users.)  When the admin later updates the capabilities of ContentEditor the
ContentEditor-FilesModerator role is also updated behind the scenes.

> Simple for the end user and accomplishes the same performance goals you
mention with the only downside it taking slightly longer to save a role when
the role's capabilities are updated.

+1 (!!)

This is what i think, should really be considered: When someone
installs WP, he autom. get's an "admin"-account... with no
restrictions. So the only really "preconfigured" role we need is the
100%-"AAA"-admin(istrator). Looking at a lot of system that use WP as
a CMS and looking at all those discussions where "canonical plugins"
or "core plugins" (like comments) take place, i can see nothing that
holds us (the community) back from asking: Why do we have
preconfigured roles, when WP can take such an ammount of possible

So: We don't need anything more than a capability-system with a "All
CAPs"-role of admin. Plus: If we take this route and we consider a
way, where plugins could hook their capabilities into, we would have a
pretty flat, small and (perhaps clever?) system that could fit any
purpose from 1 to 10.000k-user and -role systems.

Why do we make everything so complicated and over-preconfigured? Is it
because we love traditions (for ex. posts-table instead of content-

wp-hackers mailing list
wp-hackers at lists.automattic.com

More information about the wp-hackers mailing list