Enforcing Role Security

Roles

WordPress has notions of roles that can be assigned to users: “Administrator”, “Editor”, “Author”, “Contributor”, “Subscriber”. In your plugin code, you may wish to perform programmatic security, that is to only allow a section of code to be executed if the user is of adequate role.

Your XXX_Plugin class inherits some functions from the XXX_OptionsManager class that make role checking easier. For example:

1
2
3

if ($this->isUserRoleEqualOrBetterThan('Author')) {
   // do protected operation 
}

will indicate if the current user has Author or higher role. This is useful, for example, to put in an “if” statement to guard code that can be executed via an AJAX call. (See more on the Creating AJAX Calls page).

Role Options

In some cases, you want the role (‘Author’ in the example above) to be configurable. You can do this by defining a plugin “Role Option” (read how to define one on the Handling Options page).

The example above can be changed to:

1
2
3

if ($this->canUserDoRoleOption('CanDoSomeSpecialOperation')) {
    // do protected operation
}

where ‘CanDoSomeSpecialOperation’ is the name of a role option that you define.

You can get the name of the minimal role level required for a role option using:

1

$this->getRoleOption('CanDoSomeSpecialOperation');

Capabilities

In addition to roles, WP has the notion of “capabilities” such as “manage_options”, “publish_pages”, “publish_posts”, “read”. Sometimes you want to call a WP function and it requires a capability parameter of the user. The template code provides a convenience function to convert role to capability.

An example when you want to add an administrative submenu page:

1
2
3

$roleAllowed = 'Author';
$capability = $this->roleToCapability($roleAllowed);
add_submenu_page( $parent_slug, $page_title, $menu_title, $capability, $menu_slug, $function );