edit_plugins WordPress user capability

May 6th, 2012

edit_plugins WordPress user capabilty

edit_plugins capabilty

This capability is self-explained and self-documented. It does that what it has in its name, really. If user has edit_plugins capability, he get access to the “Editor” menu item at the “Plugins” submenu of administrator back-end system menu. Of course, user should have “activate_plugins” capability too, as without such capability he could not access top level “Plugins” menu item. That is correct for single-site WordPress installation only.
For multi-site WordPress configuration:
1st, you should have super-admin privileges in order to be capable edit installed plugins files,
Read the rest of this entry

edit_files WordPress user capability

April 27th, 2012

edit_files is deprecated WordPress user capability

deprecated capability

edit_files WordPress user capability introduced into WordPress since version 2.0 is not used anymore. It is added into current WordPress database schema for backward compatibility purpose with old themes and plugins, but no one line of WordPress core code uses this capability to take real decision about user’s permissions, allow or prohibit some operation.
Thus, I classified edit_files capability as deprecated and show it at User Role Editor plugin similar way as other deprecated capabilities like ‘level_1′, ‘level_2′, etc., that is hidden by default.
To see deprecated capabilities list at User Role Editor turn on “Show deprecated capabilities’ checkbox at the top of role editor form.

Limit Comments moderation, part 2

April 22nd, 2012

Limit comments moderation part 2

Limit comments moderation 2

We have discussed couple of tricks to limit comments moderation in this post already and know how to hide comments moderation links and commands from user. In this post we will see:
- how to show comments to the user with ‘Author’ role from his posts only;
- how to exclude unneeded views from ‘Comments’ page, left just ‘Approved’ for example.
Read the rest of this entry

WordPress 3.3.2 Security Update

April 22nd, 2012

wordpress 3.3.2 security update

WP security update

WordPress published version 3.3.2. It is critical security update. According to WordPress Developers Blog, three external libraries included in WordPress (Plupload, SWFUpload, SWFObject) received security updates. WordPress 3.3.2 also addresses:
- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
- Cross-site scripting vulnerability when making URLs clickable.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.
Full list of changes made in version 3.3.2 is available here.
PHP delevelpers could see changes in source code directly using this link.
If you didn’t install this update yet, consider to do it right now. It’s very important to defend your lovely blog as much as possible.
Read the rest of this entry

Preview others posts without edit

April 11th, 2012

Preview Others Posts Without Editing

Preview Others Posts

You can preview others not published yet posts in case you can edit them only. This is WordPress behavior by default. Suppose, you decided to change that, and give some users or role ability to read others posts in read-only mode, not giving them ‘edit-others-posts’ capability.
You will need to add a new user capability, modify one file from WordPress core and add little piece of code to your theme functions.php file. Are you ready? Let’s go!
Read the rest of this entry

Choose right plugin name

April 8th, 2012

Choose right name for your WordPress plugin

Choose plugin name

What 1st step should be done when you got a brilliant idea and decided to develop new amazing WordPress plugin? Yes, you need to choose right name for it. There are 27891 names registered at WordPress plugins repository for this moment. So your plugin name should be unique, descriptive, but short enough, in order to user can remember and easy share it. How to make plugin name unique, but do not lose the main sense. It could be good practice to start plugin name from your business name, your own name or nick. This way your plugin name will have its own place in the whole WordPress plugins list and will not be lost between tens or hundreds of other plugins, which try to do similar things and for that reason may have and really have similar names.
Read the rest of this entry

delete_users WordPress user capability

April 2nd, 2012

delete_users WordPress user capability

delete users

Suppose your site has a lot of user registrations and a lot of them are SPAM records. In that situation you could wish to delegate such spam users deletion to someone else. What capability is needed to get permission to delete unneeded WordPress users records? First of all, – delete_users capability. Is it enough? No. In order to delete user, you need to select it from user list. Thus, you should have some other user capability. Yes, it is 'list_users' capability. Without such capability you can not access your blog users list (“Users->All Users” menu item) under single-site WordPress installation and can not apply “Delete” command to selected user. Continue reading to see more detailed description and (if you curious enough) look inside WordPress core source code to know where and how WordPress implements ‘delete_users’ security permission.
Read the rest of this entry