Advertisement
Articles

Quick Tip: User Permissions and Your Plugin

by

Today we're going to go over user permissions within the scope of your plugin. Specifically, I'll discuss what you should be using to determine who can see the various admin menus of your plugin.


A Solution To A Messy Problem

I stumbled across the complexity of user permissions when working on a multi-site installation of WordPress. We were hosting around 15-20 websites and had approximately 30 plugins installed. Blogs each had users of various levels and responsibilities. My employers would get requests or find plugins with functionality they wanted to offer and it would be up to me to install and configure them. That's when I ran into issues. Often, I found myself modifying plugins to simply accommodate the user roles we were using. The mess was mostly due in part to the different ways WordPress allows you to define who can view and use your plugin.

Once upon a time, WordPress incorporated "User Levels." There were 10 levels, each granting more privileges to the user than the last. So quite often, the developer would target a specific user level like so:

<?php
        if (current_user_can('level_10')){
        /*do something*/
        }

	//Or Define a Page
	add_menu_page('Page Title', 'Menu Title', 10,'unique-slug','menu_function');

?>

For those of you not familiar with WordPress functions, the add_menu_page function is defined as:

add_menu_page( $page_title, $menu_title, $capability, $menu_slug, $function, $icon_url, $position );

This particular set of code is targeting user level 10, which would be the highest permission set. While useful in some circumstances, user levels didn't give as much flexibility as I liked. Fortunately, when WordPress 2.0 was released, we were given "Roles and Capabilities." Capabilities replaced user levels and in WordPress 3.0, user levels have become depreciated.

With the new way of defining user permissions, we have gained additional ways of targeting users. The first is by the roles itself. Using the same functions as above, I'll illustrate targeting a user by role.

<?php
        if (current_user_can('Administrator')){
        /*do something*/
        }

	//Or Define a Page
	add_menu_page('Page Title', 'Menu Title', 'Administrator','unique-slug','menu_function');

?>

In essence, this isn't too different from using User Levels, and in my situation, that wasn't a good thing. With our multi-site setup, the Administrator roles were only used by people in house. The highest role any of the clients were allowed were editors. But they still needed to be able to do certain things within their site. And unfortunately, many plugins I ran across still used either user levels or the roles themselves to grant or deny use of their plugin. However, WordPress has provided a much more robust solution to this problem in the way of their capabilities.

Capabilities allow you to target a user based on what they are able to do rather than the role they hold. Consider the example below.

<?php
        if (current_user_can('upload_files')){
        /*do something*/
        }

	//Or Define a Page
	add_menu_page('Page Title', 'Menu Title', 'upload_files','unique-slug','menu_function');

?>

The functions now test whether or not a user can upload_files. If the capabilities have not been altered, this allows the menu to be visible and code to run for Super Administrators, Administrators, Editors and Authors. This is a much better solution, as individual capabilities can be added to or removed from roles in the theme functions.

Now while this is the best solution for many circumstances, I like to take it one step further. When I'm developing a plugin for non-administrative functions, such as a gallery or testimonial plugin, I prefer to grant user access based on a custom capability created for the plugin. I've given an example of how to do this below.

<?php
	//add_cap($role,$cap,$grant);
      add_cap("editor", "my_plugin_cap", true);

	add_menu_page('Page Title', 'Menu Title', 'my_plugin_cap','unique-slug','menu_function');

?>

As you can see, we're adding a capability called "my_plugin_cap" to the editor role. Then we add a menu page that is visible to all users with this capability. What's nice is that in the plugin, you can add the capability to the proper users, and if the administrator wants to give other roles access, he can do so by adding the capability himself through the theme functions. In my case, that means that I no longer need to edit the plugins themselves and I can feel free to update them without worrying about losing the changes I made.

I hope this tip was useful to you. Let me know if you have any questions or concerns in the comments below. Happy plugin programming!

Related Posts
  • Code
    WordPress
    Quick Tip: Post Types, Taxonomies and PermalinksPost types taxonomies urls
    Custom Post Types and taxonomies are two powerful features of WordPress. Unfortunately, they can have a tendency to cause problems if developers aren't familiar with how permalinks, URLs, and rewriting works within WordPress. In this quick tip, we aim to cover the topic very briefly to make sure you know all you need to know about WordPress URLs, custom post types, taxonomies, and how they all relate.Read More…
  • Code
    Plugins
    Integrating Owl Carousel Into a WordPress Plugin: Preparing Our WorkspaceOwl carousel
    This is the second part of step-by-step tutorial on plugin development. As you may remember, in previous part we have discussed the concept of the plugin and defined the plan of development process. I you have not read the first part of tutorial, I recommending reading that article prior to moving forward with this tutorial. In this part, we are going to prepare our workspace to make it as easy as easy as possible to continue working on our plugin. We’ll define what we need for work and create the structure of the plugin according to its functionality. In the end you will see your plugin activated in Dashboard. So, let’s start.Read More…
  • Code
    Theme Development
    Creating a WordPress Theme from Static HTML - Adding WidgetsCreating wordpress theme from html 400
    In this series, you've learned how to convert a static HTML file to a WordPress theme and edit the header file. So far you've: prepared your markup for WordPress converted your HTML to PHP and split your file into template files edited the stylesheet and uploaded your theme to WordPress added a loop to your index file added meta tags, the wp_head hook and the site title and description to your header file added a navigation menu. Read More…
  • Code
    Theme Development
    Creating a WordPress Theme From Static HTML: Preparing the MarkupCreating wordpress theme from html 400
    Last year I did a small (and admittedly very un-scientific) survey among other WordPress developers. What I wanted to know was this: When they built their first WordPress theme, how did they do it? Did they hack an existing theme or did they start with their own static HTML and turn it into a theme? The majority of people I spoke to used the second approach - they were all experienced frontend developers who had built sites using HTML and CSS, and found it easiest to take their existing HTML files and convert them to a theme. Two of the people I spoke to were lecturers or teachers, and told me that this is the approach they use with students. So in this series I'm going to show you how to do just that.Read More…
  • Code
    Plugins
    Using HighCharts in WP-AdminHighcharts 400
    Charts are a great way to present data. They make data more digestible by making it visually appealing. In WordPress, there is no built-in method for getting posts and pages data in a graphical form. Although, there are certain plugins available which integrate Google Analytics with WordPress, but they are overkill if you want to get only a portion of that data. Also, nothing should keep you from learning new techniques and to dive straight into the subject is the best way to learn.Read More…
  • Code
    Creative Coding
    Customizing the WordPress Admin - The DashboardCustomize wordpress admin rachel 400
    In the first part of this series, I showed you how to customize the WordPress login screen by adding a custom logo and some custom styling. The next thing your users will see after they've logged in is the Dashboard, so in this tutorial you'll learn how to customize it by removing some of the existing metaboxes, moving some around, and adding some new ones.Read More…