Archive for the ‘WordPress Capabilities’ Category

WordPress read capability in depth

Saturday, December 1st, 2012

WordPress read capability

read user capability

Did you ever ask yourself, what WordPress read capability really allows to read? Any unregistered visitor of your blog can see and read any public post without limitations? What the purpose of ‘read’ user capability? After making little investigation I don’t sure that WordPress read capability should be called ‘read’ but not ‘user_profile’ for example. Why I got such conclusion? Because of WordPress read capability is responsible for these WordPress admin back-end menu items only:
“Dashboard”-“Home”, “Dashboard”-“My Sites” (for multisite WP installation) and “Profile”-“Your Profile”.
Thus if you revoke ‘read’ capability from some user, she could not access to her profile then. Such user will get error message from WordPress just after login: “You do not have sufficient permissions to access this page”.

Read the rest of this entry

edit_theme_options capability for WordPress user

Friday, September 28th, 2012

edit-theme-options WordPress user capability

edit-theme-options user capability


‘edit_theme_options’ capability seems to be self-explained. It’s primary purpose is to provide access to WordPress front-end theme options changing.
On practice, if you have ‘edit_theme_options’ capability, then you have access to the ‘Appearance’ menu at WordPress admin back-end and to its menu items: “Themes” (select a theme for your WordPress front-end) and “Menus” (edit menus supported by your selected theme). Customize theme header image, background color, etc. section and ‘Widgets’ menu items require ‘edit_theme_options’ capability also.

How it is realized? How often and at what places WordPress uses/checks this user capability – ‘edit_theme_options’ in order to decide give current user permission to edit theme options or prohibit access to such functionality? Let’s check this together. We will make a quick look into WordPress version 3.4.2 core source code and comment its related fragments.

Read the rest of this entry

update_core capability for WordPress user

Sunday, August 5th, 2012

update_core capability

update_core user capability

WordPress Codex gives us nothing about update_core capability for WordPress user, except WordPress version of its appearing in the code – 3.0. I suppose according to its name, that update_core capability is used to decide, if user can update core WordPress file using built-in WordPress upgrade feature or not. What do you think?

Thoughts are just thoughts, while they are not confirmed by practice and strong experiment. Thus, I decided to check this obviouse guess, satisfy my curiosity and investigate, how and for what purpose WordPress uses update_core capability really. Result of my little investigation will be shown to you below.

Read the rest of this entry

Capabilities set for Custom Post Type

Sunday, June 10th, 2012

Special capabilities for custom post type

custom post type capabilities

You configured custom post type at your WordPress managed site. You did it with special plugin or manually. It works good. But what to do, if it uses standard WordPress posts permissions, e.g. ‘edit_posts’, but you need to separate access for standard and custom posts for authors and editors? Does WordPress offer a decision?
Yes. Custom post type may have custom capabilities set defined and it could be fully different from the standard post capabilities set.
What variants do you have?
1st, – use plugin which can manage not just custom post types, but custom capabilities set for those custom post types too. Good example is Custom Post Types UI WordPress plugin. I used it myself long time at my personal Russian language site FiNovel.com. Inspite of little quant of “Works” reviews at WordPress plugins repository page, I confirm – it works.

Read the rest of this entry

edit_plugins WordPress user capability

Sunday, May 6th, 2012

edit_plugins WordPress user capabilty

edit_plugins capabilty

This capability is self-explained and self-documented. It does that what it has in its name, really. If user has edit_plugins capability, he get access to the “Editor” menu item at the “Plugins” submenu of administrator back-end system menu. Of course, user should have “activate_plugins” capability too, as without such capability he could not access top level “Plugins” menu item. That is correct for single-site WordPress installation only.
For multi-site WordPress configuration:
1st, you should have super-admin privileges in order to be capable edit installed plugins files,

Read the rest of this entry

edit_files WordPress user capability

Friday, April 27th, 2012

edit_files is deprecated WordPress user capability

deprecated capability

edit_files WordPress user capability introduced into WordPress since version 2.0 is not used anymore. It is added into current WordPress database schema for backward compatibility purpose with old themes and plugins, but no one line of WordPress core code uses this capability to take real decision about user’s permissions, allow or prohibit some operation.
Thus, I classified edit_files capability as deprecated and show it at User Role Editor plugin similar way as other deprecated capabilities like ‘level_1’, ‘level_2′, etc., that is hidden by default.
To see deprecated capabilities list at User Role Editor turn on “Show deprecated capabilities’ checkbox at the top of role editor form.

delete_users WordPress user capability

Monday, April 2nd, 2012

delete_users WordPress user capability

delete users

Suppose your site has a lot of user registrations and a lot of them are SPAM records. In that situation you could wish to delegate such spam users deletion to someone else. What capability is needed to get permission to delete unneeded WordPress users records? First of all, – delete_users capability. Is it enough? No. In order to delete user, you need to select it from user list. Thus, you should have some other user capability. Yes, it is 'list_users' capability. Without such capability you can not access your blog users list (“Users->All Users” menu item) under single-site WordPress installation and can not apply “Delete” command to selected user. Continue reading to see more detailed description and (if you curious enough) look inside WordPress core source code to know where and how WordPress implements ‘delete_users’ security permission.

Read the rest of this entry