#14387 closed defect (bug) (invalid)
current_user_can returns false for roles "higher" than built-ins
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | |
| Component: | Role/Capability | Keywords: | |
| Focuses: | Cc: |
Description
Maybe this isn't a bug and is intentional, but current_user_can('editor') fails for admins. current_user_can('contributor') fails for editor. And so on. Now, for some even stranger reason, it succeeds on one production blog of mine (all higher roles "can" a lower role). That is the functionality I want and that makes sense to me for the built-ins. Is that what should happen? If so, then this is a bug, and if not my apologies.
Change History (6)
#2
@
13 years ago
- Milestone Awaiting Review deleted
- Resolution set to invalid
- Status changed from new to closed
The fact that current_user_can('editor') works at all is just a coincidence. It wasn't intended to work like that.
You should check for a specific capability instead.
#3
@
13 years ago
I need to avoid just assuming current_user_can('edit_posts') to do this check.
Then you're doing something wrong.
#4
@
13 years ago
The issue is that roles aren't hierarchical. We don't check that role Y is a full superset of role Y, thus current_user_can('editor') wouldn't work for administrators. Please don't resort to user levels. There's always a better way.
#5
@
13 years ago
Roles by default are absolutely hierarchical, and that's what I'm banking on. Sure, users can remove edit_others_posts from editors, but I'm fine with assuming that they won't. While roles can be customized so that they're not hierarchical, they certainly are to begin with.
To continue the conversation of my specific issue, I create a support topic on wp.org so that I don't clutter Trac with my questions: http://wordpress.org/support/topic/427551. Would appreciate your feedback.
If this is not a bug, then is the only way to check current_user_can for a lower role and to get it to pass for a higher role to use the deprecated numbered levels? current_user_can('level_1') for example when you want to check contributor or higher. I need to avoid just assuming current_user_can('edit_posts') to do this check, and it seems that levels are the only other way to do this if the above desired (and I believe correct) functionality is not what WP should be doing.