[wp-hackers] What does user_can really check?

Kevin Newman CaptainN at unFocus.com
Wed Nov 23 18:15:43 UTC 2011

"Roles" (as a set of caps - pretty standard stuff in granular 
permissions systems) are used too widely in the WordPress admin to be 
deprecated. User levels have been deprecated (and rightly so) but roles 
have not been. The codex makes this pretty clear - roles are NOT 
deprecated: http://codex.wordpress.org/Roles_and_Capabilities

Anyway, all I really need to know is, if I take a subscriber (as a 
shorthand for checking the user has ONLY "read" cap), and give them an 
additional cap, will that change their role to something other than 
subscriber, or does the role have to be specifically changed? That's the 

To make this clearer in the API, I would suggest a user_is method be 
added to core, as a way to check for a specific role, rather than 
overloading the user_can method (incorrectly) the way it is now. 
Incorrectly because "user_can" - "do what subscriber can do" - it should 
return true for admins, contribs, etc. when you check for "subscriber" 
caps - but now it returns false.

Kevin N.

On 11/22/11 11:36 PM, Dion Hulse (dd32) wrote:
> current_user_can('subscriber') || user_can( $user_id, 'subscriber')
> works due to the capability system including the Roll Slug as a user
> capability. AFAIK, this is done for backwards compatibility with code
> such as yours.

More information about the wp-hackers mailing list