activate_plugins WordPress capability

activate plugins

activate_plugins

What is 1st WordPress user permissions system capability if we sort such list in alphabet order? Yes, activate_plugins one. Information about it at WordPress Codex is very brief: “Allows access to Administration Panel options: Plugins”. But according its name this capability should allow at least activate plugins and may be something more. Where we can get right information about WordPress if not at WordPress’s core source code? I made little investigation and wish to share with you its results in this post.
Summary: activate_plugins capability on the top of the mountain really gives user access to “Plugins” and “Installed Plugins” menu items of WordPress admin back-end menu system and lets him activate/deactivate plugins one by one or applying bulk action to the set of selected plugins.
Let’s look together under the WordPress hood and see on examples of WordPress 3.3 core source code how it’s realized.

Searching of ‘activate_plugins’ string occurrences result in this files list: wp-admin/menu.php, wp-admin/freedoms.php, wp-admin/plugins.php, wp-admin/includes/class-plugins-list-table.php, wp-admin/includes/schema.php.
Let’s begin?

wp-admin/menu.php gives us the confirmation for the WordPress Codex declaration above. To be more exact this code – allows access to Administrator menu item “Plugins” and “Installed Plugins” submenu item under menu “Plugins”:

155
156
157
	$menu[65] = array( sprintf( __('Plugins %s'), $count ), 'activate_plugins', 'plugins.php', '', 'menu-top menu-icon-plugins', 'menu-plugins', 'div' );
 
	$submenu['plugins.php'][5]  = array( __('Installed Plugins'), 'activate_plugins', 'plugins.php' );
WordPress Plugins installed plugins menu

WordPress Plugins, Installed plugins menu

wp-admin/freedoms.php contains the same link to plugins.php and shows it to users with ‘activate_plugins’ capability only.

49
$plugins_url = current_user_can( 'activate_plugins' ) ? admin_url( 'plugins.php' ) : 'http://wordpress.org/extend/plugins/';

Where to find this page? Its new feature introduced in WordPress 3.3. At the left corner of WordPress admin back-end menu bar you can see small WordPress logo. After click on it you will see submenu as on image below. Click ‘About WordPress’ and ‘Freedoms’ to achieve freedoms.php resulting page.

WordPress About admin menu bar

WordPress About from admin menu bar

wp-admin/plugins.php – this is WordPress plugins administration panel. And you can achieve it in that case only if you have activate_plugins capability.

19
20
if ( !current_user_can('activate_plugins') )
	wp_die( __( 'You do not have sufficient permissions to manage plugins for this site.' ) );

For the multi-site WordPress installation you should have network superadmin rights additionally.
Further in the code WordPress checks activate_plugins capability again before execute these actions:
– Activate plugins:

39
40
41
42
	switch ( $action ) {
		case 'activate':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to activate plugins for this site.'));

– Make bulk activation for current blog and bulk network wide activation on selected plugins:

68
69
70
71
		case 'activate-selected':
		case 'network-activate-selected':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to activate plugins for this site.'));

– Display error messages concerning plugins management:

129
130
131
case 'error_scrape':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to activate plugins for this site.'));

– Deactivate plugins:

152
153
154
		case 'deactivate':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to deactivate plugins for this site.'));

– Deactivate selected plugins:

165
166
167
		case 'deactivate-selected':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to deactivate plugins for this site.'));

wp-admin/includes/class-wp-plugins-list-table.php is used to show plugins list in table format and override ajax_user_can() method of parent WP_List_Table class in relation of plugins management:

33
34
35
36
37
38
39
40
41
42
function ajax_user_can() {
		if ( is_multisite() ) {
			$menu_perms = get_site_option( 'menu_items', array() );
 
			if ( empty( $menu_perms['plugins'] ) && ! is_super_admin() )
				return false;
		}
 
		return current_user_can('activate_plugins');
	}

ajax_user_can() method is used by wp-admin/admin_ajax.php to check if current user has permission to execute operation via AJAX request.

wp-admin/includes/schema.php at line #580 inserts activate_plugins capability into Administrator role during WordPress installation.

576
577
578
579
580
	// Add caps for Administrator role
	$role =& get_role('administrator');
	$role->add_cap('switch_themes');
	$role->add_cap('edit_themes');
	$role->add_cap('activate_plugins');

Tags: , ,

  • http://shinephp.com Vladimir Garagulya

    I don’t, there is no such limitation for this moment. I’m not sure that it’s possible to realize :).

    You should be aware that this capability ‘activate_plugins’ should have admin only or trusted person. As if URE plugin deactivated user with ‘create_users’ or ‘edit_users’ capability could assign ‘Administrator’ role to some user and take full control on your blog.

  • juj ole

    Hi,I’m using Download manager an DLG CLient upload. I need to create an user role that can view and use ONLY this 2 plugin. What files have i to change ? 

  • admin grant

    This was very helpful but still unable to fix my problem…..
    I have multiuser wp and I have one plugin I want to share to all members without allowing access to all plugins
    how can I do that?

  • http://shinephp.com Vladimir Garagulya

    If plugin is activated by superadmin for the whole network from the Network Center, then local admin could not deactivate it. Thus, you can activate plugins, which you wish to manage yourself, for the whole network, but just install without activation other plugin(s), which you wish to leave for local blog administrators. They will decide themselves to use or not to use it.

  • rockvilla

    Hi, there its very informative post, thanks a lot for it :)
    I am having a problem because of capability ‘activate_plugin’. I have a author page displaying many post via ajax call and query_post. For users other than admin this query doesn’t run? Can u point at something? Please. I have been trying to solve this problem from 1 week. Can follow question here : http://stackoverflow.com/questions/15189675/wordpress-query-post-not-working-for-not-logged-in-users