[wp-hackers] What does user_can really check?

24/7 24-7 at gmx.net
Fri Nov 25 13:11:59 UTC 2011

One thing that was left out in this discussion: "granting" capabilities (I 
just ran into this): If you add a capability to a user or a role, you have 
the possibility to allow the access to it or not.

Consider the following:

$roles = $GLOBALS['wp_roles']->roles; // get all roles
$role_admin = $roles['administrator'];
$role_subscriber = $roles['subscriber'];

// Now add a capability and grant or deny the access
// role_object->add_cap( 'cap_name', (bool) $grant );
$role_admin->add_cap( 'read_hackers', false );
$role_subscriber->add_cap( 'read_hackers', true );

// Here we got the situation that admins and subscribers both have the cap 
// Now let's check this:
$role_admin->has_cap( 'read_hackers' );
$role_subscriber->add_cap( 'read_hackers' );
// result: Both returned true.
// If we want to check this, we need to access the object directly
$role_admin_access = $role_admin['read_hackers'] ? true : false; // false
$role_subscriber_access = $role_admin['read_hackers'] ? true : false; // 

The problem is that the "grant" check is simply missing in the API. The 
same goes for functions that change the grant/deny value. It would be nice 
and interesting to have this, as it would allow us to give access to 
certain roles, but blacklist/whitelist specific users.

Sry for beeing slightly off topic, but I think this should be mentioned in 
this discussion.

Best wishes,

More information about the wp-hackers mailing list