activate_plugins WordPress capability

activate plugins

activate_plugins

What is 1st WordPress user permissions system capability if we sort such list in alphabet order? Yes, activate_plugins one. Information about it at WordPress Codex is very brief: “Allows access to Administration Panel options: Plugins”. But according its name this capability should allow at least activate plugins and may be something more. Where we can get right information about WordPress if not at WordPress’s core source code? I made little investigation and wish to share with you its results in this post.
Summary: activate_plugins capability on the top of the mountain really gives user access to “Plugins” and “Installed Plugins” menu items of WordPress admin back-end menu system and lets him activate/deactivate plugins one by one or applying bulk action to the set of selected plugins.
Let’s look together under the WordPress hood and see on examples of WordPress 3.3 core source code how it’s realized.

Searching of ‘activate_plugins’ string occurrences result in this files list: wp-admin/menu.php, wp-admin/freedoms.php, wp-admin/plugins.php, wp-admin/includes/class-plugins-list-table.php, wp-admin/includes/schema.php.
Let’s begin?

wp-admin/menu.php gives us the confirmation for the WordPress Codex declaration above. To be more exact this code – allows access to Administrator menu item “Plugins” and “Installed Plugins” submenu item under menu “Plugins”:

155
156
157
	$menu[65] = array( sprintf( __('Plugins %s'), $count ), 'activate_plugins', 'plugins.php', '', 'menu-top menu-icon-plugins', 'menu-plugins', 'div' );
 
	$submenu['plugins.php'][5]  = array( __('Installed Plugins'), 'activate_plugins', 'plugins.php' );
WordPress Plugins installed plugins menu

WordPress Plugins, Installed plugins menu

wp-admin/freedoms.php contains the same link to plugins.php and shows it to users with ‘activate_plugins’ capability only.

49
$plugins_url = current_user_can( 'activate_plugins' ) ? admin_url( 'plugins.php' ) : 'http://wordpress.org/extend/plugins/';

Where to find this page? Its new feature introduced in WordPress 3.3. At the left corner of WordPress admin back-end menu bar you can see small WordPress logo. After click on it you will see submenu as on image below. Click ‘About WordPress’ and ‘Freedoms’ to achieve freedoms.php resulting page.

WordPress About admin menu bar

WordPress About from admin menu bar

wp-admin/plugins.php – this is WordPress plugins administration panel. And you can achieve it in that case only if you have activate_plugins capability.

19
20
if ( !current_user_can('activate_plugins') )
	wp_die( __( 'You do not have sufficient permissions to manage plugins for this site.' ) );

For the multi-site WordPress installation you should have network superadmin rights additionally.
Further in the code WordPress checks activate_plugins capability again before execute these actions:
– Activate plugins:

39
40
41
42
	switch ( $action ) {
		case 'activate':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to activate plugins for this site.'));

– Make bulk activation for current blog and bulk network wide activation on selected plugins:

68
69
70
71
		case 'activate-selected':
		case 'network-activate-selected':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to activate plugins for this site.'));

– Display error messages concerning plugins management:

129
130
131
case 'error_scrape':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to activate plugins for this site.'));

– Deactivate plugins:

152
153
154
		case 'deactivate':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to deactivate plugins for this site.'));

– Deactivate selected plugins:

165
166
167
		case 'deactivate-selected':
			if ( ! current_user_can('activate_plugins') )
				wp_die(__('You do not have sufficient permissions to deactivate plugins for this site.'));

wp-admin/includes/class-wp-plugins-list-table.php is used to show plugins list in table format and override ajax_user_can() method of parent WP_List_Table class in relation of plugins management:

33
34
35
36
37
38
39
40
41
42
function ajax_user_can() {
		if ( is_multisite() ) {
			$menu_perms = get_site_option( 'menu_items', array() );
 
			if ( empty( $menu_perms['plugins'] ) && ! is_super_admin() )
				return false;
		}
 
		return current_user_can('activate_plugins');
	}

ajax_user_can() method is used by wp-admin/admin_ajax.php to check if current user has permission to execute operation via AJAX request.

wp-admin/includes/schema.php at line #580 inserts activate_plugins capability into Administrator role during WordPress installation.

576
577
578
579
580
	// Add caps for Administrator role
	$role =& get_role('administrator');
	$role->add_cap('switch_themes');
	$role->add_cap('edit_themes');
	$role->add_cap('activate_plugins');

Tags: , ,