[wp-hackers] What does user_can really check?

Dion Hulse (dd32) wordpress at dd32.id.au
Sat Dec 3 01:31:18 UTC 2011

On 3 December 2011 03:57, 24/7 <24-7 at gmx.net> wrote:
>> Please don't reach underneath the API to do things. This is how
> plugins break. :-)
> Just trying to get around how it's supposed to work :) Btw: Using GLOBALS
> instead of global to _not_ modify any global.
> The Q I was bringing up was simply: has_cap() doesn't check for $grant.

WP_User::has_cap() checks for $grant, It does this by the following code:
		foreach ( (array) $caps as $cap ) {
			if ( empty( $capabilities[ $cap ] ) )
				return false;

		return true;
If it's false, it'll return as empty.

WP_Role::has_cap() is the same, It checks $grant through this code:
		if ( !empty( $capabilities[$cap] ) )
			return $capabilities[$cap];
			return false;
Ie. If the value within the cap is something non-empty, it's true, it
has the cap. If it's emtpy-ish value ( not set, boolean false, 0,
empty string, etc) it's false, it doesn't have the cap.

If you are running any kind of plugin that alters what users can/can't
do (such as the members plugin, role scoper, and a handful of others
i'd rather not remember the names of) then your code will likely not
work due to the plugin intercepting and going "Hey, I never authorized

More information about the wp-hackers mailing list