One of the most criticized aspects of WordPress is the user privilege system. Versions 1.5.x and prior assign privileges using user levels. Each user has a zero through ten level, with level ten being an all powerful administrator and level zero having no powers. The levels are hierarchical. A higher level user can edit the posts of a lower level user. This sounds like a pretty simple scheme, but in practice it creates a lot of confusion. The privileges associated with each level are not clear. What is the difference between level ten and level five? Who can edit who? Can a level five edit another level five? What exactly can each of those eleven levels do?
For 2.0, we decided that the privilege system was ready for an overhaul. After researching the way other weblog and CMS applications handled privileges, we decided to go with a Role and Capability model. After some debate about the workflow we wanted to establish, we settled on creating five roles: Subscriber, Contributor, Author, Editor, and Administrator. Each of these roles has a set of associated capabilites. A Subscriber has very limited capabilities. A Subscriber can see the Dashboard and edit his own profile. That is all. A Contributor can draft posts but cannot publish them. An Author can publish posts. An Editor can edit other people’s posts and can manage categories, links, comments, and pages. An Administrator can do everyting. An Admin can switch themes, activate plugins, edit files, and run importers.
Although these roles seem hierarchical, they are not. Each role is simply a set of capabilities. The Editor and Administrator roles have the capability to edit posts that do not belong to them. They can edit anyone’s posts, including each other’s. For those used to the old user level hierarchy, allowing Editors to modify posts made by Administrators may seem odd. Avoiding the hierarchy was a purposeful decision, however. You either have the capability to edit other’s posts, or you don’t. We’re trying to keep it simple.
Users can belong to one or more roles and can have individual capabilities assigned to them outside of the context of a role. In the default UI, only one role per user is exposed. You select which of the five roles you want a user to be in, and that is that. You can’t edit roles or assign individual capabilities to users. Again, this is a purposeful design decision that is intended to keep things simple. More advanced role and capability management will be available through a plugin.
Currently, about twenty capabilities are defined. In the code, capabilities are simply keywords that can be assigned to users and roles. Here is our full capability set.
- switch_themes
- edit_themes
- activate_plugins
- edit_plugins
- edit_users
- edit_files
- manage_options
- moderate_comments
- manage_categories
- manage_links
- upload_files
- import
- unfiltered_html
- edit_posts
- edit_others_posts
- edit_published_posts
- publish_posts
- edit_pages
- read
For backward compatiblity with the user level system, we also have capabilities that correspond to levels: level_0, level_1, … , level_10. A Subscriber has the level_0 capability. A Contributor has level_0 and level_1. An Author has level_0, level_1, and level_2. An Editor has level_0 through level_7, and an Administrator has level_0 through level_10. When upgrading from a previous version of WP, all users are mapped to roles based on their user level. A level seven user will be mapped into the Editor role, for example.
For plugin authors, an API is available for retrieving and manipulating roles and capabilities. A plugin can create a new capability called ‘do_foo’ and give that capability to the Adminstrator role with the following code.
$role = get_role('administrator');
$role->add_cap('do_foo');
To check if the currently logged in user has this capability, plugins can make use of the current_user_can() function.
if ( current_user_can('do_foo') ) ...
To check the capabilities for a certain user ID, instantiate a WP_User object.
$user_id = 1;
$user = new WP_User($user_id);
if ( $user->has_cap('do_foo') ) ...
If a brand new role is needed, one can be created using add_role() and add_cap().
$role = add_role('foo_doer', 'Foo Doer');
$role->add_cap('do_foo');
$role->add_cap('do_bar');
Those are the basics. Consult capabilities.php for the full API. The most commonly used bit of API is current_user_can(). Whenever you need to determine if the logged-in user can do something, use current_user_can().
For more information on roles and capabilities, take a look at Owen’s overview. If you are a plugin author with questions regarding use of the API, visit the Hackers list. If you are a user wondering what this means to you, visit the Support Forums.
[...] This seems to be a subject that has been in discussion before as after about 25 messages on the mailing list, Ryan Boren decided to post a more public post on his blog. This may or may not have been in response to the mailing list thread but I read it as an attempt to stop the criticism. Of course, I could be wrong. Personally, I think the framework that has been developed, including the API of the capabilities system was definitely written with the right goal. I just think that the direction that was taken after this step was the wrong one. This was my major message on the thread (edited for format): Since WordPress is supposed to be a ‘publishing platform’ it would make some sense that one would try and go with the idea of other published works (i.e. a newspaper) but we should really remember what the final product is: a web log. In the spirit of K.I.S.S., I think we should really forget about the whole idea of Editors-in-Chief, Managing Editors, etc. and think about what should be the simplest and most basic form that WordPress should have while allowing for variations that others may need for their own personal sites. [...]
What’s the best time to add caps? Plugins are loaded before $wp_roles is defined, so you can’t use get_role() etc. unless it’s hooked into a function.
The init action?
[...] If you are looking forward to WP2.0 and you have multiple users, you really need to know all about what the new user level arrangements are. Do not upgrade and then find out that people can see and do things you do not want them seeing / doing. So start by reading Ryan’s information and lead off from there. ¤ Read (1) [...]
Ryan: Great stuff. I’ve always meant to clarify what levels signified. Now I don’t need to!
This is a fantastic development for WordPress, and I’m wondering if you think this might lead to more collaborative blogs appearing out there?
[...] Ryan Boren publicaba ayer un artículo sobre el nuevo sistema de roles de usuario en WordPress 2.0. Como habrán podido comprobar quienes ya esten usando o hayan probado alguna de las betas o la reciente RC1 del nuevo WordPress, el sistema de permisos ha pasado de ser un sistema numérico a un sistema de roles. [...]
[...] The new roles and capabilities make a lot of sense, but I’m not sure I like the term “subscriber”. Subscribing comes with a lot of concepts. I probably would have just called it “user”. And yes, this is coming close to the ideal I have in mind for how a user system should work. [...]
[...] Interessante articolo di Ryan Boren che spiega la nuova struttura utenti di WP 2.0, poiché sarà una della novità che potranno “sconcertare” e per chi mastica poco l’inglese ecco un riassunto/traduzione nella quale verranno parzialmente tralasciati i dettagli programmatori. Ecco la “traduzione”: [...]
Capabilities. in many ways…
Wordpress is using capabilities. From the capabilities.php file, propagation of capabilities is not a problem, mostly because it’s not the type of capability system that we’ve been reading about in our security class. It’s more like …
[...] 另外,在新版的Wordpress中,對於原有的權限設計有大幅的修改,以往在1.5版或更早的版本中,權限是分為0-10,10即為最大管理者,而0則是沒有權限,高等級的使用者可以對低等級的作編輯、修改的動作,看似簡單的設計,但是實際上卻沒有很明確的區分(相同等級的使用者?7與5又有什麼差別?)因此,在新版的設計中,將權限區分為Subscriber, Contributor, Author, Editor, and Administrator五種,各有明確的角色功能區分,可以看這篇會有更詳細的瞭解。 Tags [...]
So a bunch of nonsensical user levels with numeric names have been replaced with a bunch of nonsensical user levels with textual names? Big deal. Why not just let site administrators define their own ‘roles’ phpbb-style?
[...] Mit dem neuen WordPress 2 kommt ein neues Rollensystem daher, dazu einer der Mitentwickler boren.nu: Subscriber, Contributor, Author, Editor, and Administrator. Each of these roles has a set of associated capabilites. A Subscriber has very limited capabilities. A Subscriber can see the Dashboard and edit his own profile. That is all. A Contributor can draft posts but cannot publish them. An Author can publish posts. An Editor can edit other people’s posts and can manage categories, links, comments, and pages. An Administrator can do everyting. An Admin can switch themes, activate plugins, edit files, and run importers. weitere Artikel zu: WordPress [...]
Rollenspiel statt Userlevel…
Bis hin zum WordPress 1.5.2 gab das 11 hierarchische Userlevel, nämlich von 0 bis 10. Wer Userlevel 8 hatte, konnte alles was Userlevel 7 konnte und quasi dessen Vorgesetzer, denn er konnte nicht nur seine eigenen Sachen bearbeiten, sondern auch die d….
Hmm, Why can’t users edit their own coments? I didn’t see the option in this post, and that is the most used user permission on my blog. I use a plug-in for allowing editting of comments, but it should be built into wordpress.
[...] Ryan Boren, ein Entwickler von WordPress, hat in einem Artikel (engl.) einmal genauer erläutert, wie die neuen Benutzerlevels in Zukunft eingesetzt werden. Ich fand diesen Artikel interessant, so dass ich mich mal hingesetzt und das ganze Geraffel übersetzt habe: [...]
[...] 昨天 WordPress 公布了 WordPress 2.0 Release Candidate?(RC3) 想來 2.0 final 應該也不遠了 至於 2.0 有啥新東西可以看看 What’s New in 2.0: Roles and Capabilities [...]
[...] Perun hat in seinem Blog ein erste kurzes Review zu WordPress 2 beta 1 geschrieben. Dazu gibt es auch ein paar Schreenshoots vom Backend bei Flickr. Eine englischsprachige umfassende Änderungliste gibts bei Owen Winkler und noch einen ausführlichen (englischen) Bericht bei boren.nu, auch als deutsche Übersetzung bei Kylaloo. [...]
Hey Ryan, this post was a nice kick off to bring me on the right track with roles and capabilies but because the strings for the roles are localized, could you please edit your examples to
$role = get_role(__(‘Administrator’));
[...] Capabilities and Roles – In previous versions of WordPress, users could be given ‘limited’ permissions by assigning user levels. User levels, in the past, have relied on a scale 0 to 10, with 10 having unlimited administrative permissions. Various levels in between allowed ‘guest’ bloggers or contributors to have appropriate rights on your blog. In WordPress 2.0, this has been completely revamped. Without going into a lot of repetitive details on the nature of the various capabilities (Ryan explains capabilities and roles in great detail), the new features open up a whole new avenue of flexibility for plugin authors. [...]
[...] 2.- Capacidades – Roles. En anteriores versiones de WP, los administradores podían dar permisos de usuario mediante niveles del 1 al 10. En esta versión se ha modificado por completo y los permisos se otorgan mediante roles: Suscriptor, Contribuidor, Autor, Editor, y Administrador. Cada uno de estos roles tiene permisos diferentes. [...]
[...] Nuevo sistema de gestión de permisos de usuarios. En boren.nu lo explican ampliamente y Guillermo ya nos lo adelantó en blogpocket en El sistema de roles de usuario de WP 2.0. [...]
[...] Nuevo sistema de gestión de permisos de usuarios. En boren.nu lo explican ampliamente y Guillermo ya nos lo adelantó en blogpocket en El sistema de roles de usuario de WP 2.0. [...]
[...] Capacidades – Roles. En anteriores versiones de WP, los administradores podían dar permisos de usuario mediante niveles del 1 al 10. En esta versión se ha modificado por completo y los permisos se otorgan mediante roles: Suscriptor, Contribuidor, Autor, Editor, y Administrador. Cada uno de estos roles tiene permisos diferentes. [...]
[...] Capabilities and Roles: Earlier versions of WordPress assigned numeric “User Levels” to users of the system. This created all kinds of confusion with what user levels had permission to do what. Now WP 2.0 has completely changed this to a more logical title-based user capability/role system. This just makes more sense. More info on this can be found at Ryan Boren’s blog. [...]
[...] Si estás en "esto del blogging" ya hace un rato, seguro que conocerás WordPress, quizás la herramienta de Blogs más conocidas. Bueno, con la inminente salida de WordPress 2.0 a la calle, muchas espectativas están en juego. La siguiente es una pequeña lista de las diez características que serán extremadamente beneficiosas conocer, de WordPress 2.0 Miniaturas de los temas descargados: actualmente, cuando uno busca un tema para WordPress, seguramente cuenta con la suerte de verlo aplicado en algún blog, antes de instalarlo, dándose una idea de como se ve. Pero algunas veces, queremos instalar un tema pero no encontramos un ejemplo, o directamente no existe. Bueno, los creadores de temas ahora pueden agregar una imagen llamada screenshot.png en el directorio raíz, de forma que sea visualizado antes de activar el tema.Capacidades y Roles: Actualmente, los permisos de usuario se limitan a un número del 0 al 10, que los usuarios del blog poseen. Esto se ha cambiado totalmente, pasando a un esquema de Capacidades y Roles, que les permite a los creadores de plugins la flexibilidad necesaria para aplicar distintos permisos a los usuarios. [...]
[...] Brukere og rettigheter: Mange forbedringer har blitt gjort for deg som administrerer en WP-basert gruppeblogg.Du kan lese mer om dette her. [...]
[...] Capacidades y Roles: Actualmente, los permisos de usuario se limitan a un número del 0 al 10, que los usuarios del blog poseen. Esto se ha cambiado totalmente, pasando a un esquema de Capacidades y Roles, que les permite a los creadores de plugins la flexibilidad necesaria para aplicar distintos permisos a los usuarios. [...]
[...] Capacidades – Roles. En anteriores versiones de WP, los administradores podían dar permisos de usuario mediante niveles del 1 al 10. En esta versión se ha modificado por completo y los permisos se otorgan mediante roles: Suscriptor, Contribuidor, Autor, Editor, y Administrador. Cada uno de estos roles tiene permisos diferentes. [...]
[...] 2.- Capacidades – Roles. En anteriores versiones de WP, los administradores podían dar permisos de usuario mediante niveles del 1 al 10. En esta versión se ha modificado por completo y los permisos se otorgan mediante roles: Suscriptor, Contribuidor, Autor, Editor, y Administrador. Cada uno de estos roles tiene permisos diferentes. [...]
[...] Ryan Boren útskýrir notendastigin í WP 20. [...]
[...] Boren – Whats New in WordPress 2.0 Roles and Capabilities [...]
[...] One of the major update in Word Press 2.0 is the Role System. Ryan Boren has covered the capability list in his blog: For 2.0, we decided that the privilege system was ready for an overhaul. After researching the way other weblog and CMS applications handled privileges, we decided to go with a Role and Capability model. After some debate about the workflow we wanted to establish, we settled on creating five roles: Subscriber, Contributor, Author, Editor, and Administrator. Each of these roles has a set of associated capabilites. A Subscriber has very limited capabilities. A Subscriber can see the Dashboard and edit his own profile. That is all. A Contributor can draft posts but cannot publish them. An Author can publish posts. An Editor can edit other people’s posts and can manage categories, links, comments, and pages. An Administrator can do everyting. An Admin can switch themes, activate plugins, edit files, and run importers. [...]
[...] Muy pocas novedades para someterse a una migración en la que cualquier cosa puede salir mal. La única característica que destacaría sobre las demás y por la que merecería la pena el cambio es el lavado de cara que han aplicado a los permisos de los usuarios. Se abandonan los derechos numéricos (que se extendían de 0 a 9 quedando el 10 reservado para el administrador) para pasar a un sistema de categorías que en el entorno se denominan roles. Ahora, cada usuario forma parte de uno de los grupos definidos por el CMS (Suscriptor, Contributor, Autor, Editor y Administrador) y dependiendo de su pertenencia a uno u otro adquirirá unos permisos determinados. [...]
[...] 2.- Capacidades – Roles. En anteriores versiones de WP, los administradores podían dar permisos de usuario mediante niveles del 1 al 10. En esta versión se ha modificado por completo y los permisos se otorgan mediante roles: Suscriptor, Contribuidor, Autor, Editor, y Administrador. Cada uno de estos roles tiene permisos diferentes. [...]
[...] Yang lumayan berguna, yaitu fitur Roles and Capabilities user. Cocok rasanya diaplikasikan ke blog dengan multi kontributor seperti Merdeka Blog. Ketimbang harus ngeset level, mending memang pake roles. [...]
[...] Dringende Wartungsarbeiten wurden erledigt. So läuft nun WordPress 2.0 im Hintergrund. Welche Änderungen im Hintergrund erfolgten kann bei diesem Link nachgesehen werden. Falls Probleme oder Darstellungsfehler auftauchen sollte, bitte mich benachrichtigen. [...]
[...] Capabilities and Roles – In previous versions of WordPress, users could be given ‘limited’ permissions by assigning user levels. User levels, in the past, have relied on a scale 0 to 10, with 10 having unlimited administrative permissions. Various levels in between allowed ‘guest’ bloggers or contributors to have appropriate rights on your blog. In WordPress 2.0, this has been completely revamped. Without going into a lot of repetitive details on the nature of the various capabilities (Ryan explains capabilities and roles in great detail), the new features open up a whole new avenue of flexibility for plugin authors.For instance, there is an API function called current_user_can(), which allows the plugin author to match a currently logged in user against a list of capabilities. These capabilities range from ‘moderate_comments’ to ‘publish_posts’. Ryan’s article has the entire list, but it can also be found at the bottom of the wp-admin/upgrade-schema.php file. [...]
[...] The majority of differences between 2.0 and previous 1.5.x versions are in the user interface (admin area) and casual users won’t see them. There is the new “Roles and Capabilities” determination for blog subscribers/authors. A good run-down of all the changes, with an explanation, comes from Asymptomatic. Also, with the upgrade of the platform, WordPress has redesigned their main site and provided an improved, and organized, documentation section. That is especially good to see. [...]
[...] Though from the reports, WordPress 2.0 does look like it has some great features. (For more details on the new stuff and some warnings look at Ten things you should know about WordPress 2.0, What’s new in 2.0: roles and capabilities and 5 little things I like about WordPress 2.0. [...]
[...] I’ve been toying around with the files for SoMuchGeek.com’s Live+Press plugin for the better part of today. I have edited several files (sadly, I honestly can not recall what I’ve changed), browsed through the database structure to find WP2.0 specific tables since the called for ‘user_levels’ is no longer available (this, after repeated attempts to figure out how to add roles/capabilities to this plugin) and went through quite a bit of ‘trial and error’ updating. I don’t want to step on any toes by playing around with another’s code, but I miss the functionality Live+Press added to my blog and the plugin’s author hasn’t been active for quite some time. My sad attempt at proffering a bribe for a fix went unanswered ;-p [...]
Roles en WordPress 2.0…
Ryan Boren uno de los desarrolladores principales de WordPress público recientemente un articulo sobre roles y capacidad de los usuarios en la versión 2.0.
Desde BlogPocket en su post El sistema de roles de usuario en WordPress 2.0 traduce parte del …
[...] 比起以前使用0-10来分配用户权限,这次用“Administrator”、“Editor”、“Author”、“Contributor”和“Subscriber”五个角色来管理显然更容易理解,但我对这个还没有更清楚的理解,因为基本用不到,想详细了解该功能可以看Ryan的文章。 [...]
[...] Ryan Boren has a detailed post regarding this. WP_Roles provides following methods: [...]
[...] Capabilities and Roles – In previous versions of WordPress, users could be given ‘limited’ permissions by assigning user levels. User levels, in the past, have relied on a scale 0 to 10, with 10 having unlimited administrative permissions. Various levels in between allowed ‘guest’ bloggers or contributors to have appropriate rights on your blog. In WordPress 2.0, this has been completely revamped. Without going into a lot of repetitive details on the nature of the various capabilities (Ryan explains capabilities and roles in great detail), the new features open up a whole new avenue of flexibility for plugin authors. [...]
[...] Capacidades y Roles: Actualmente, los permisos de usuario se limitan a un número del 0 al 10, que los usuarios del blog poseen. Esto se ha cambiado totalmente, pasando a un esquema de Capacidades y Roles, que les permite a los creadores de plugins la flexibilidad necesaria para aplicar distintos permisos a los usuarios. [...]
[...] 2.- Capacidades – Roles. En anteriores versiones de WP, los administradores podran dar permisos de usuario mediante niveles del 1 al 10. En esta versión se ha modificado por completo y los permisos se otorgan mediante roles: Suscriptor, Contribuidor, Autor, Editor, y Administrador. Cada uno de estos roles tiene permisos diferentes. [...]
[...] Capacidades y Roles: Actualmente, los permisos de usuario se limitan a un número del 0 al 10, que los usuarios del blog poseen. Esto se ha cambiado totalmente, pasando a un esquema de Capacidades y Roles, que les permite a los creadores de plugins la flexibilidad necesaria para aplicar distintos permisos a los usuarios. [...]
One suggestion. I would love to have a “Commentator” Role/Capability. On my new blog I feel compelled to turn off comment capability, but if a “Commentator” Role was created then I could assign rights to team members who would have the ability to comment on stories and no one else.
True, I could just turn comments on and then moderate them so that only team members were posted; however, then I risk upsetting those who leave a comment and are rejected out of hand.
It’s just a thought
Challen
I finally found what many of you said you were looking for…just like me. The ability to moderate authors.
I used this plugin successfully. It saved my life…
It’s a plugin for WordPress2.0 called Role Manager.
http://redalt.com/Resources/Plugins/Role+Manager
[...] Ryan Boren publicaba ayer un artículo sobre el nuevo sistema de roles de usuario en WordPress 2.0. Como habrán podido comprobar quienes ya esten usando o hayan probado alguna de las betas o la reciente RC1 del nuevo WordPress, el sistema de permisos ha pasado de ser un sistema numérico a un sistema de roles. [...]
[...] Without going into a lot of repetitive details on the nature of the various capabilities (Ryan explains capabilities and roles in great detail), the new features open up a whole new avenue of flexibility for plugin [...]
[...] werden: Subscriber, Contributor, Author, Editor, and Administrator. Was die Rollen können kann man hier [...]
[...] Ryan Boren publicaba ayer un artículo sobre el nuevo sistema de roles de usuario en WordPress 2.0. Como habrán podido comprobar quienes ya esten usando o hayan probado alguna de las betas o la reciente RC1 del nuevo WordPress, el sistema de permisos ha pasado de ser un sistema numérico a un sistema de roles. [...]
[...] Ryan Boren’s What’s New in 2.0: Roles and Capabilities [...]
[...] Without going into a lot of repetitive details on the nature of the various capabilities (Ryan explains capabilities and roles in great detail), the new features open up a whole new avenue of flexibility for plugin [...]