WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#14387 closed defect (bug) (invalid)

current_user_can returns false for roles "higher" than built-ins

Reported by: sbressler Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords:
Focuses: Cc:

Description

Maybe this isn't a bug and is intentional, but current_user_can('editor') fails for admins. current_user_can('contributor') fails for editor. And so on. Now, for some even stranger reason, it succeeds on one production blog of mine (all higher roles "can" a lower role). That is the functionality I want and that makes sense to me for the built-ins. Is that what should happen? If so, then this is a bug, and if not my apologies.

Change History (6)

#1 @sbressler
11 years ago

If this is not a bug, then is the only way to check current_user_can for a lower role and to get it to pass for a higher role to use the deprecated numbered levels? current_user_can('level_1') for example when you want to check contributor or higher. I need to avoid just assuming current_user_can('edit_posts') to do this check, and it seems that levels are the only other way to do this if the above desired (and I believe correct) functionality is not what WP should be doing.

#2 @scribu
11 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

The fact that current_user_can('editor') works at all is just a coincidence. It wasn't intended to work like that.

You should check for a specific capability instead.

#3 @scribu
11 years ago

I need to avoid just assuming current_user_can('edit_posts') to do this check.

Then you're doing something wrong.

#4 @nacin
11 years ago

The issue is that roles aren't hierarchical. We don't check that role Y is a full superset of role Y, thus current_user_can('editor') wouldn't work for administrators. Please don't resort to user levels. There's always a better way.

#5 @sbressler
11 years ago

Roles by default are absolutely hierarchical, and that's what I'm banking on. Sure, users can remove edit_others_posts from editors, but I'm fine with assuming that they won't. While roles can be customized so that they're not hierarchical, they certainly are to begin with.

To continue the conversation of my specific issue, I create a support topic on wp.org so that I don't clutter Trac with my questions: http://wordpress.org/support/topic/427551. Would appreciate your feedback.

#6 @nacin
11 years ago

By default. So either you need to make every assumption, or make no assumptions. I commented on the thread and will gladly follow up further.

Note: See TracTickets for help on using tickets.