A Deep Dive into the Roles and Capabilities API

Transcript

1. A deep dive into The User Roles and Capabilities API

2. WordPress core developer Working with WordPress for 12+ years Senior

   Engineer at Human Made John Blackbourn @johnbillion

3. User Roles •Administrator •Editor •Author •Contributor •Subscriber • {Super Admin}

   • {No role}

4. No Role

5. Roles Aren’t Hierarchical

6. Roles, Capabilities, and Responsibilities

7. • Administrator • Editor • Author • Contributor • Subscriber

   Administer the site Edit all content Edit their own content Contribute proposals Nothing Role Responsibility

8. • Administrator • Editor • Author • Contributor • Subscriber

   Multiple Roles }Doesn’t make much sense

9. • Comment Moderator • Employee Manager Multiple Roles } Two

   distinct responsibilities

10. Roles and Responsibilities in bbPress • Keymaster • Moderator •

    Participant • Spectator Manage the forums Moderate discussion Participate in discussion Follow topics

11. • Author • Forum Moderator Multiple Roles with bbPress }

    Now we’re talking

12. Multiple Roles with bbPress

13. Multiple Roles with ‘Members’

14. Roles, Capabilities, and Responsibilities

15. User Capability Checks current_user_can( 'edit_posts' ) current_user_can( 'manage_options' ) current_user_can(

    'upload_files' ) user_can( $user_id, 'delete_users' )

16. User Capability Checks current_user_can( 'administrator' ) current_user_can( 'administrator' ) current_user_can(

    'create_users' )

17. Back In The Day level_10 level_9 level_8 level_7 level_6 level_5

    level_4 level_3 level_2 level_1 level_0

18. Meta & Primitive Capabilities current_user_can( 'edit_post', $post_id )

19. map_meta_cap() Handles the mapping from meta capabilities to primitive capabilities

    edit_post edit_others_posts

20. $post = get_post( $post_id ); if ( ! $post )

    { // If the post doesn't exist... $caps[] = 'do_not_allow'; break; } current_user_can( 'edit_post', $post_id )

21. if ( $user_id == $post->post_author ) { if ( $post->post_status

    == 'publish' ) { // If the post is published... $caps[] = 'edit_published_posts'; } else { // If the post is draft... $caps[] = 'edit_posts'; } } current_user_can( 'edit_post', $post_id )

22. } else { // Trying to edit someone else's post...

    $caps[] = 'edit_others_posts'; // The post is published... if ( $post->post_status == 'publish' ) { $caps[] = 'edit_published_posts'; } elseif ( 'private' == $post->post_status ) { $caps[] = 'edit_private_posts'; } current_user_can( 'edit_post', $post_id )

23. Meta & Primitive Capabilities // Another user's published post: current_user_can(

    'edit_post', $post_id ) > edit_published_posts > edit_others_posts // My own draft post: current_user_can( 'edit_post', $post_id ) > edit_posts

24. case 'delete_user': // Only super admins can delete users. if

    ( is_multisite() && ! is_super_admin( $user_id ) ) $caps[] = 'do_not_allow'; else $caps[] = 'delete_users'; break; current_user_can( 'delete_user', $id )

25. map_meta_cap() Handles the mapping from meta capabilities to primitive capabilities

    edit_post edit_others_posts

26. apply_filters( 'map_meta_cap', $caps, $cap, $user_id, $args ); map_meta_cap edit_post 456

    edit_others_posts edit_published_posts 123

27. function foo( $required_caps, $cap, $user_id, $args ) { if (

    'delete_term' == $cap ) { // Prevent protected term from being deleted: if ( get_term_meta( $args[0], 'protected', true ) ) { $required_caps[] = 'do_not_allow'; } } return $required_caps; } add_filter( 'map_meta_cap', 'foo', 10, 4 );

28. function foo( $required_caps, $cap, $user_id, $args ) { if (

    'publish_post' == $cap ) { // Let’s roll a dice... if ( rand( 1, 6 ) !== 3 ) { $required_caps[] = 'do_not_allow'; } } return $required_caps; } add_filter( 'map_meta_cap', 'foo', 10, 4 );

29. function foo( $required_caps, $cap, $user_id, $args ) { if (

    'upload_files' == $cap ) { // If user can edit posts, allow to upload files: $required_caps = array( 'edit_posts' ); } return $required_caps; } add_filter( 'map_meta_cap', 'foo', 10, 4 );

30. map_meta_cap Use this filter to alter the required primitive caps

    for a cap check

31. user_has_cap apply_filters( 'user_has_cap', $caps, $required_caps, $args ); edit_others_posts 123 edit_posts

    edit_post_tags moderate_comments ...

32. // Check authentication: if ( current_user_can( 'switch_to_user', $user_id ) )

    { // Switch user... }

33. function foo( $user_caps, $required_caps, $args ) { if ( 'switch_to_user'

    === $args[0] ) { $user_caps['switch_to_user'] = ( user_can( $args[1], 'edit_user', $args[2] ) && $args[2] != $args[1] ); } return $user_caps; } add_filter( 'user_has_cap', 'foo', 10, 3 );

34. map_meta_cap Use this filter to alter the required primitive caps

    for a cap check. user_has_cap Use this filter to grant or deny the actual caps of a user.

35. Recap • Roles • Responsibilities • Capabilities • map_meta_cap •

    user_has_cap • Trivia

36. Non-Logged-In Users current_user_can( 'do', 'something' ) // This always returns

    true: current_user_can( 'exist' ) // You need this too: is_user_logged_in()

37. More Granular Meta Caps in Core current_user_can( 'edit_user', $user )

    current_user_can( 'delete_post', $post ) // Coming soon (hopefully): current_user_can( 'edit_theme', $theme ) current_user_can( 'activate_plugin', $plugin ) current_user_can( 'delete_site', $site )

38. Core's Capability Tests Tests_User_Capabilities 'upload_plugins' => array( 'administrator' ), 'upload_themes'

    => array( 'administrator' ), 'customize' => array( 'administrator' ), 'add_users' => array( 'administrator' ), 'edit_categories' => array( 'administrator', 'editor' ), 'delete_categories' => array( 'administrator', 'editor' ), 'manage_post_tags' => array( 'administrator', 'editor' ), 'edit_post_tags' => array( 'administrator', 'editor' ), 'delete_post_tags' => array( 'administrator', 'editor' ), 'edit_css' => array( 'administrator', 'editor' ), 'assign_categories' => array( 'administrator', 'editor', 'author', 'contributor' ), 'assign_post_tags' => array( 'administrator', 'editor', 'author', 'contributor' ),

39. Questions? John Blackbourn @johnbillion