WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#36939 new enhancement

Role groups

Reported by: johnjamesjacoby Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: 2nd-opinion
Focuses: Cc:

Description

WordPress's roles & capabilities API has support for allowing users to have multiple roles, and recent improvements to the Users list table have helped improve the administrator experience a bit by showing all roles rather than just the first one for each user.

I think what makes multiple user-roles confusing (or maybe less valuable) is that WordPress by itself does not directly benefit from allowing users to have multiple roles, because the existing roles are designed to blanket all of WordPress's bundled functionality.

I'd like to propose the introduction of Role Groups, as a layer that lives one layer above the main WP_Roles object to allow for groups of roles to be registered, enabling for users to have at least 1 role from each role group.


For example:

  • You install bbPress, and Bob cannot publish posts but can moderate the forums
  • You install WooCommerce, and Jane can contribute posts to the blog, and can also buy items from the store
  • You install BuddyPress, and while Chris can administrate posts, pages, and media, he cannot moderate the community

In the above scenarios, each of these plugins would register their own role groups, and any user could easily have 1 role for each "section" of the same 1 WordPress site.


How could WordPress core use this?

  • Create a role group for Posts, Pages, Media, Comments, and Users
  • Ones ability to Edit posts should not assume they can moderate comments
  • Ones ability to moderate comments should not assume they can publish posts
  • Ones ability to upload media & attachments should not assume they can publish pages
  • Ones ability to edit an existing user should not assume they can upload media

How does this complicate things?

Depending on how deeply this is implemented, potentially greatly, or not at all for vanilla WordPress installations.

  • If we keep WordPress's built-in roles identical to how they are today, they become 1 role group that grants access to Posts, Pages, Media, Comments, and Users; then plugins can define their own role groups, and we make sure WordPress has an adequate interface for assigning multiple roles for each user.
  • If we separate WordPress's roles into groups for each object type, backwards compatibility is a huge issue, as well as how confusing does it make granting access and assigning default roles for each group.
  • We may be able to remove the "Default Role" setting UI entirely, and leave it to plugins to reopen this functionality for improved support for multiple roles.

What do we do now?

Let's talk this through, decide if it's worthwhile, and maybe work towards something viable. Much of this can happen without much (if any) modification to WordPress core. Worst case, we uncover more areas of WordPress that can be improved to support multiple roles per user, and address those in separate tickets. Best case, we make the existing roles & capabilities API more plugin-friendly.

Change History (1)

#1 @johnjamesjacoby
2 years ago

It's also plausible that "role groups" is a bad name for this idea, as it perpetuates the conflation of "user groups" and "groups of users" so if anyone has experience or opinions about how to blend this with existing WordPress nomenclature, let's hear it.

WordPress uses a sort-of hybrid between ACL and RBAC, in a way that I feel like takes the best of both ideologies and bunches them together. Because of this, it's hard to imagine a next-generation system that doesn't start to gravitate towards one or the other.

Role groups could also help us define roles for different types of access to the Network Dashboard, which would likely be where the highest value for WordPress core would come from.

Note: See TracTickets for help on using tickets.