Uploaded bymannieschumpert
PDF, PPTX931 views

WordPress Capabilities Magic

The document outlines user roles and capabilities in WordPress, explaining the different permissions assigned to roles such as subscriber, contributor, author, editor, and administrator. It also discusses how to create custom roles and capabilities using functions like add_role and add_cap, and the use of filters to manage user capabilities dynamically. Additional resources and code examples are provided in the appendices for further reference.

TechnologyBusiness
Related topics:
Web Development

Embed presentation

Download as PDF, PPTX
Mannie Schumpert WordPress Developer (Not actually a magician) @mannieschumpert mannieschumpert.com
Roles Summary Subscriber read Contributor create posts, edit and delete own posts Author create posts, edit and delete own posts, and publish own posts Editor manage all content Administrator manage everything
Subscriber Contributor Author Editor Administrator Capability Levels by Role
“What if these don’t suit my needs?”
Roll Your Own add_role add_cap
add_role('video_editor',  'Video  Editor',  $caps  ); $caps  =  array(                  'edit_videos'  =>  true,          ); Add Role
Add Capabilities to Existing Roles $role  =  get_role(  'editor'  );   $role-­‐>add_cap(  'pull_rabbit_out_of_hat'  );
The Problem with add_role & add_cap
The Activation Hook register_activation_hook(  __FILE__,  'wordcampchs_activate'  )  );   ! function  wordcampchs_activate(){     $caps  =  array(         'edit_videos'  =>  true,       );     add_role('video_editor',  'Video  Editor',  $caps  );   }
The Magic Filters
user_has_cap map_meta_cap The Magic Filters
“Wait, what are filters?”
filter(  $data,  $info  ); What Are Filters? (pseudo code)
user_has_cap The Magic Filters “Does the user have this capability? Ok, do this other stuff.”
//  If  you  can  edit  pages,  you  can  edit  widgets       add_filter(  'user_has_cap',   function(  $caps  )  {          if  (  !  empty(  $caps['edit_pages']  )  )                  $caps['edit_theme_options']  =  true;          return  $caps;   }  ); Give Editors Widget Capability
Subscriber Contributor Author Editor Administrator Capability Levels by Role
Subscriber Contributor Author Editor Administrator
add_filter('user_has_cap',   function(  $caps  ){     if  (!  empty(  $caps['edit_pages']  )  )  {       $caps['gravityforms_delete_entries']  =  true;       $caps['gravityforms_edit_entries']  =  true;       $caps['gravityforms_edit_entry_notes']  =  true;       $caps['gravityforms_view_entries']  =  true;       $caps['gravityforms_view_entry_notes']  =  true;                  }     return  $caps;   }); Let Editors View Gravity Forms Entries
map_meta_cap The Magic Filters
map_meta_cap /**    *  Filter  a  user's  capabilities  depending  on  specific  context  and/or  privilege.    *    *  @since  2.8.0    *    *  @param  array    $caps        Returns  the  user's  actual  capabilities.    *  @param  string  $cap          Capability  name.    *  @param  int        $user_id  The  user  ID.    *  @param  array    $args        Adds  the  context  to  the  cap.  Typically  the  object  ID.    */   return  apply_filters(  'map_meta_cap',  $caps,  $cap,  $user_id,  $args  );
add_filter('map_meta_cap',  'prevent_user_edit',  10,  4  );   ! function  prevent_user_edit(  $caps,  $cap,  $user_id,  $args  ){         $protected_user  =  1;  //  ID  of  user  not  editable     !   //  Don't  block  caps  if  current  user  =  protected  user     if  (  $user_id  ===  $protected_user  )       return  $caps;         $blocked_caps  =  array(       'delete_user',       'edit_user'       );     if  (  in_array(  $cap,  $blocked_caps  )  &&  $args[0]  ===  $protected_user  )       $caps[]  =  'do_not_allow';         return  $caps;   } Prevent User Edit
NO
add_filter('map_meta_cap',  'prevent_users_edit',  10,  4  );   ! function  prevent_users_edit(  $caps,  $cap,  $user_id,  $args  ){         $protected_users  =  array(1,4,19);  //  IDs  of  users  not  editable     $allowed_editor  =  1;  //  ID  of  user  who  can  edit         if  (  $user_id  ===  $allowed_editor  )  //  Don't  block  caps  if  allowed  editor       return  $caps;         $blocked_caps  =  array(       'delete_user',       'edit_user'       );     if  (  in_array(  $cap,  $blocked_caps  )  &&  in_array(  $args[0],   $protected_user  )  )       $caps[]  =  'do_not_allow';         return  $caps;   } Prevent Editing of an Array of Users
DO NOT ALLOW
The Possibilities are Endless • let a particular user role only edit one taxonomy • let users of one role edit any other users of the same role • remove Tools capabilities from all but the primary admin • prevent some Super Admins from adding sites on a multisite network
Appendix A Codex: http://codex.wordpress.org/Roles_and_Capabilities http://codex.wordpress.org/Plugin_API/Filter_Reference/ user_has_cap http://codex.wordpress.org/Function_Reference/ map_meta_cap Core: map_meta_cap - /wp-includes/capabilities.php Line 1317
Appendix B Videos: “Current User Can Watch This Talk” - Andrew Nacin http://wordpress.tv/2013/08/10/andrew-nacin-current-user- can-watch-this-talk/ Code Snippets from Andrew Nacin’s “Current User Can Watch This Talk” https://gist.github.com/mannieschumpert/8886289
Appendix C Article: WordPress Capabilities Magic with map_meta_cap http://mannieschumpert.com/blog/wordpress-capabilities- magic-with-map_meta_cap/

More Related Content

PDF
Virtual Madness @ Etsy
byNishan Subedi
 
PPTX
Drupal sins 2016 10-06
byAaron Crosman
 
PPTX
Coding for Scale and Sanity
byJimKellerES
 
PDF
Dependency Management with RequireJS
byAaronius
 
ZIP
Drupal Development (Part 2)
byJeff Eaton
 
PDF
WordCamp Montreal 2015: Combining Custom Post Types, Fields, and Meta Boxes t...
byallilevine
 
PPTX
Sins Against Drupal 2
byAaron Crosman
 
PDF
Drupal Step-by-Step: How We Built Our Training Site, Part 1
byAcquia
 
Virtual Madness @ Etsy
byNishan Subedi
 
Drupal sins 2016 10-06
byAaron Crosman
 
Coding for Scale and Sanity
byJimKellerES
 
Dependency Management with RequireJS
byAaronius
 
Drupal Development (Part 2)
byJeff Eaton
 
WordCamp Montreal 2015: Combining Custom Post Types, Fields, and Meta Boxes t...
byallilevine
 
Sins Against Drupal 2
byAaron Crosman
 
Drupal Step-by-Step: How We Built Our Training Site, Part 1
byAcquia
 

What's hot

PDF
Ajax nested form and ajax upload in rails
byTse-Ching Ho
 
PDF
50 Laravel Tricks in 50 Minutes
byAzim Kurt
 
PDF
Your code sucks, let's fix it - DPC UnCon
byRafael Dohms
 
PDF
Introduction to Web Components
byFelix Arntz
 
PDF
Dig Deeper into WordPress - WD Meetup Cairo
byMohamed Mosaad
 
PDF
Bag Of Tricks From Iusethis
byMarcus Ramberg
 
PPTX
WordPress plugin #3
bygiwoolee
 
KEY
Keeping It Simple
byStephanie Leary
 
PPSX
WordPress Theme Design and Development Workshop - Day 3
byMizanur Rahaman Mizan
 
PDF
TDC 2015 - Metaprogramação na prática
byGuilherme Carreiro
 
KEY
Symfony2 Building on Alpha / Beta technology
byDaniel Knell
 
PDF
jQuery UI Widgets, Drag and Drop, Drupal 7 Javascript
byDarren Mothersele
 
PPTX
Анатолий Поляков - Drupal.ajax framework from a to z
byLEDC 2016
 
PDF
Drupal & javascript
byAlmog Baku
 
PDF
Your Entity, Your Code
byMarco Vito Moscaritolo
 
PDF
Paying off technical debt with PHPSpec
byLewis Wright
 
PPTX
Quality code by design
byWP Developers Club
 
PDF
날로 먹는 Django admin 활용
byKyeongMook "Kay" Cha
 
PPTX
Building secured wordpress themes and plugins
byTikaram Bhandari
 
PPT
Система рендеринга в Magento
byMagecom Ukraine
 
Ajax nested form and ajax upload in rails
byTse-Ching Ho
 
50 Laravel Tricks in 50 Minutes
byAzim Kurt
 
Your code sucks, let's fix it - DPC UnCon
byRafael Dohms
 
Introduction to Web Components
byFelix Arntz
 
Dig Deeper into WordPress - WD Meetup Cairo
byMohamed Mosaad
 
Bag Of Tricks From Iusethis
byMarcus Ramberg
 
WordPress plugin #3
bygiwoolee
 
Keeping It Simple
byStephanie Leary
 
WordPress Theme Design and Development Workshop - Day 3
byMizanur Rahaman Mizan
 
TDC 2015 - Metaprogramação na prática
byGuilherme Carreiro
 
Symfony2 Building on Alpha / Beta technology
byDaniel Knell
 
jQuery UI Widgets, Drag and Drop, Drupal 7 Javascript
byDarren Mothersele
 
Анатолий Поляков - Drupal.ajax framework from a to z
byLEDC 2016
 
Drupal & javascript
byAlmog Baku
 
Your Entity, Your Code
byMarco Vito Moscaritolo
 
Paying off technical debt with PHPSpec
byLewis Wright
 
Quality code by design
byWP Developers Club
 
날로 먹는 Django admin 활용
byKyeongMook "Kay" Cha
 
Building secured wordpress themes and plugins
byTikaram Bhandari
 
Система рендеринга в Magento
byMagecom Ukraine
 

Viewers also liked

PPTX
PUMA analysis
byNatasha Antoine Pelayo
 
PDF
Roxtec BG Solutions
byRoxtec Brasil
 
ODP
Cap 55
byamalamol
 
PPTX
Calidad y productividad en la docencia de la educación superior
byorlandomontes1979
 
DOCX
Summery
bykrutik245
 
DOC
Doc (2)
bykrutik245
 
PPTX
Steven McDonnells Alan Kerins Project Experience
byServisource Recruitment
 
PPTX
Comportamientos digitales
bydayanakatherine
 
PPTX
Comportamientos digitales
bydayanakatherine
 
PPTX
Proyecto producción de hongos comestibles.2012
byorlandomontes1979
 
PPTX
Diapositivas TIC
bydayanakatherine
 
DOCX
Tugas 3 konsep layanan
byElonk Teryytory
 
PPTX
calidad y educación
byorlandomontes1979
 
PUMA analysis
byNatasha Antoine Pelayo
 
Roxtec BG Solutions
byRoxtec Brasil
 
Cap 55
byamalamol
 
Calidad y productividad en la docencia de la educación superior
byorlandomontes1979
 
Summery
bykrutik245
 
Doc (2)
bykrutik245
 
Steven McDonnells Alan Kerins Project Experience
byServisource Recruitment
 
Comportamientos digitales
bydayanakatherine
 
Comportamientos digitales
bydayanakatherine
 
Proyecto producción de hongos comestibles.2012
byorlandomontes1979
 
Diapositivas TIC
bydayanakatherine
 
Tugas 3 konsep layanan
byElonk Teryytory
 
calidad y educación
byorlandomontes1979
 

Recently uploaded

PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PPTX
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
PPTX
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
PPTX
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Lecture 04. about Black heads and Hackerss.pptx
byvinocol222
 
TechSprint Kickoff - Everything You Need to Know
bygdgcodecellcmpn
 
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 

WordPress Capabilities Magic

  • 2.
    Mannie Schumpert WordPress Developer (Notactually a magician) @mannieschumpert mannieschumpert.com
  • 3.
    Roles Summary Subscriber read Contributor createposts, edit and delete own posts Author create posts, edit and delete own posts, and publish own posts Editor manage all content Administrator manage everything
  • 4.
    Subscriber Contributor AuthorEditor Administrator Capability Levels by Role
  • 5.
    “What if thesedon’t suit my needs?”
  • 6.
  • 7.
    add_role('video_editor',  'Video  Editor',  $caps  ); $caps  =  array(                  'edit_videos'  =>  true,          ); Add Role
  • 8.
    Add Capabilities toExisting Roles $role  =  get_role(  'editor'  );   $role-­‐>add_cap(  'pull_rabbit_out_of_hat'  );
  • 9.
    The Problem withadd_role & add_cap
  • 11.
    The Activation Hook register_activation_hook(  __FILE__,  'wordcampchs_activate'  )  );   ! function  wordcampchs_activate(){     $caps  =  array(         'edit_videos'  =>  true,       );     add_role('video_editor',  'Video  Editor',  $caps  );   }
  • 12.
  • 13.
  • 14.
    “Wait, what arefilters?”
  • 15.
    filter(  $data,  $info  ); What Are Filters? (pseudo code)
  • 16.
    user_has_cap The Magic Filters “Doesthe user have this capability? Ok, do this other stuff.”
  • 17.
    //  If  you  can  edit  pages,  you  can  edit  widgets       add_filter(  'user_has_cap',   function(  $caps  )  {          if  (  !  empty(  $caps['edit_pages']  )  )                  $caps['edit_theme_options']  =  true;          return  $caps;   }  ); Give Editors Widget Capability
  • 18.
    Subscriber Contributor AuthorEditor Administrator Capability Levels by Role
  • 19.
    Subscriber Contributor AuthorEditor Administrator
  • 20.
    add_filter('user_has_cap',   function(  $caps  ){     if  (!  empty(  $caps['edit_pages']  )  )  {       $caps['gravityforms_delete_entries']  =  true;       $caps['gravityforms_edit_entries']  =  true;       $caps['gravityforms_edit_entry_notes']  =  true;       $caps['gravityforms_view_entries']  =  true;       $caps['gravityforms_view_entry_notes']  =  true;                  }     return  $caps;   }); Let Editors View Gravity Forms Entries
  • 21.
  • 22.
    map_meta_cap /**    *  Filter  a  user's  capabilities  depending  on  specific  context  and/or  privilege.    *    *  @since  2.8.0    *    *  @param  array    $caps        Returns  the  user's  actual  capabilities.    *  @param  string  $cap          Capability  name.    *  @param  int        $user_id  The  user  ID.    *  @param  array    $args        Adds  the  context  to  the  cap.  Typically  the  object  ID.    */   return  apply_filters(  'map_meta_cap',  $caps,  $cap,  $user_id,  $args  );
  • 23.
    add_filter('map_meta_cap',  'prevent_user_edit',  10,  4  );   ! function  prevent_user_edit(  $caps,  $cap,  $user_id,  $args  ){         $protected_user  =  1;  //  ID  of  user  not  editable     !   //  Don't  block  caps  if  current  user  =  protected  user     if  (  $user_id  ===  $protected_user  )       return  $caps;         $blocked_caps  =  array(       'delete_user',       'edit_user'       );     if  (  in_array(  $cap,  $blocked_caps  )  &&  $args[0]  ===  $protected_user  )       $caps[]  =  'do_not_allow';         return  $caps;   } Prevent User Edit
  • 24.
  • 25.
    add_filter('map_meta_cap',  'prevent_users_edit',  10,  4  );   ! function  prevent_users_edit(  $caps,  $cap,  $user_id,  $args  ){         $protected_users  =  array(1,4,19);  //  IDs  of  users  not  editable     $allowed_editor  =  1;  //  ID  of  user  who  can  edit         if  (  $user_id  ===  $allowed_editor  )  //  Don't  block  caps  if  allowed  editor       return  $caps;         $blocked_caps  =  array(       'delete_user',       'edit_user'       );     if  (  in_array(  $cap,  $blocked_caps  )  &&  in_array(  $args[0],   $protected_user  )  )       $caps[]  =  'do_not_allow';         return  $caps;   } Prevent Editing of an Array of Users
  • 26.
  • 27.
    The Possibilities areEndless • let a particular user role only edit one taxonomy • let users of one role edit any other users of the same role • remove Tools capabilities from all but the primary admin • prevent some Super Admins from adding sites on a multisite network
  • 28.
  • 29.
    Appendix B Videos: “Current UserCan Watch This Talk” - Andrew Nacin http://wordpress.tv/2013/08/10/andrew-nacin-current-user- can-watch-this-talk/ Code Snippets from Andrew Nacin’s “Current User Can Watch This Talk” https://gist.github.com/mannieschumpert/8886289
  • 30.
    Appendix C Article: WordPress CapabilitiesMagic with map_meta_cap http://mannieschumpert.com/blog/wordpress-capabilities- magic-with-map_meta_cap/