Roles and Capabilities in WordPress

WordPress’s role and permission system is not hierarchical. There is not necessary that higher user roles have all capabilities that lower user role has. In the Laravel and Symfony PHP frameworks, the permission system is hierarchical. Often A WordPress developers tend to check logged-in user roles for authorization in Custom Solution is not the right way to develop a solution. The WordPress Developer should check permission for the authorization.

In WordPress, Each user has been assigned a user role. User role is a label for authorization in WordPress. A User role has many capabilities (permissions).

User roles along with capabilities

There are five in-built WordPress user roles are listed below. The related user role capabilities are also listed with each user role. You should not remember all capabilities for each user role. It is just for reference.

  • Administrator: The administrator has almost all permission to do in WordPress site. The role has below capabilities:
switch_themes, edit_themes, activate_plugins, edit_plugins, edit_users, edit_files, manage_options, moderate_comments, manage_categories, manage_links, upload_files, import, unfiltered_html, edit_posts, edit_others_posts, edit_published_posts, publish_posts, edit_pages, read, level_10, level_9, level_8, level_7, level_6, level_5, level_4, level_3, level_2, level_1, level_0, edit_others_pages, edit_published_pages, publish_pages, delete_pages, delete_others_pages, delete_published_pages, delete_posts, delete_others_posts, delete_published_posts, delete_private_posts, edit_private_posts, read_private_posts, delete_private_pages, edit_private_pages, read_private_pages, delete_users, create_users, unfiltered_upload, edit_dashboard, update_plugins, delete_plugins, install_plugins, update_themes, install_themes, update_core, list_users, remove_users, promote_users, edit_theme_options, delete_themes, export
  • Editor: The Editor user can write, edit, delete and publish all posts. The role user can edit, delete and publish other user’s posts too. The role has below capabilities:
moderate_comments, manage_categories, manage_links, upload_files, unfiltered_html, edit_posts, edit_others_posts, edit_published_posts, publish_posts, edit_pages, read, level_7, level_6, level_5, level_4, level_3, level_2, level_1, level_0, edit_others_pages, edit_published_pages, publish_pages, delete_pages, delete_others_pages, delete_published_pages, delete_posts, delete_others_posts, delete_published_posts, delete_private_posts, edit_private_posts, read_private_posts, delete_private_pages, edit_private_pages, read_private_pages
  • Author: The Author can write, publish and delete posts only own by them. The role has below capabilities:
upload_files, edit_posts, edit_published_posts, publish_posts, read, level_2, level_1, level_0, delete_posts, delete_published_posts
  • Contributor: The Contributor can write and edit owns posts. The user role can not even publish own post too. The role has below capabilities:
edit_posts, read, level_1, level_0, delete_posts
  • Subscriber: The Subscriber can read all contents of WordPress site. The role has below capabilities:
read, level_0

In Multisite user, There is an extra user role named as Super Administrator. The Super Administrator can do anything in any site of Multisite WordPress. When the Super Administrator user is logged in, All permission checks are bypassed and all capabilities to given them.

The level_x capabilities are no longer used. It is retained for backward compatibilities purposes. So, please do not worry about it.

Authentication and Authorization

Authentication and Authorization terms are ambiguous with each other. However, there is a difference between both.

Authentication refer to check whether a user is logged in. Authorization means to check whether the logged in user has permission to perform specific action.

For authentication, WordPress has is_user_logged_in function available.

To display the “Thank You User_Name.” in the header of the front end of WordPress WebSite, We can use the below code snippets:

add_action( 'wp_footer', 'pmb_footer_display_thanks_message' );
function pmb_footer_display_thanks_message() {
    if ( is_user_logged_in() ) {
        printf( esc_html__( 'Thank You %1$s.', 'pmb-text-domain' ), $GLOBALS['current_user']->display_name );
    }
}
Thank You User Display name in WordPress footer

For authorization, There is a current_user_can function available in WordPress.

current_user_can( string $capability, mixed $args )

  • $capability – the permission to check the current user has.
  • $args – Other argument. Generally, It is object id for which the capability (permission) are checked.

For displaying edit post link to the logged-in user who has the capability to edit the post, We can use below code snippets:

add_action( 'the_content', 'pmb_content_add_edit_link', 10, 1 );
function pmb_content_add_edit_link( $content ) {
	if ( current_user_can( 'edit_post', $GLOBALS['post']->ID ) ) {
		return '<center><a href="' . esc_url( get_edit_post_link( $GLOBALS['post']->ID ) ) . '">' . __( 'Edit Post', 'pmb-text-domain' ) . '</a></center>' . $content;
	} else {
		return $content;
	}
}
Edit Content link before content of a Post

Sometimes there is a need to check general capability check that is not related to any object. At that time, There is no need to pass the object id to the current_user_can function. For example, The current user has capability to manage all option, We can use the code if ( current_user_can( 'manage_options' ) ) {

Leave a Reply

Prashant Baldha