current_user_can() WP 2.0.0

Whether the current user has a specific capability.

This function should be used after the plugins_loaded action. By default WordPress setups current user on the init hook.

Use user_can() to check the capabilities of the specified user.

Contents:

Usage
Basic capabilities
Meta capabilities
Examples
#1 Whether a user is an administrator
#2 Use user_can() to check the capabilities of the current user
#3 Using $object_id
#4 Check the capability for specific taxonomy item
Verify the role of the current user
#1 First function
#2 Second function

Is the basis for: get_edit_post_link()

Works based on: WP_User::has_cap()

✈ 1 time = 0.00088s = slow | 50000 times = 0.86s = very fast | PHP 7.1.11, WP 4.9.5

No Hooks.

Return

true/false. Whether the current user has the given capability. If $capability is a meta cap and $object_id is passed, whether the current user has the given meta capability for the given object.

Usage

current_user_can( $capability );

$capability(string) (required)

Capability name. See here for the list of roles and capabilities.

$object_id(int) (required)

ID of the specific object to check against if $capability is a "meta" cap.

"Meta" capabilities, e.g. 'edit_post', 'edit_user', etc., are capabilities used by map_meta_cap() to map to other "primitive" capabilities, e.g. 'edit_posts', 'edit_others_posts', etc. Accessed via func_get_args() and passed to WP_User::has_cap(), then map_meta_cap().

Basic capabilities

Capability	Super Admin	Admin	Editor	Author	Contributor	Subscriber
setup_network (WP 4.8)	yes
upgrade_network (WP 4.8)	yes
manage_network	yes
manage_sites	yes
manage_network_users	yes
manage_network_plugins	yes
manage_network_themes	yes
manage_network_options	yes
Capability	Super Admin	Admin	Editor	Author	Contributor	Subscriber
activate_plugins	yes	yes (single site or enabled by network setting)
deactivate_plugins (WP 4.9)	yes	yes
create_users	yes	yes (single site)
delete_plugins	yes	yes (single site)
delete_themes	yes	yes (single site)
delete_users	yes	yes (single site)
edit_files	yes	yes (single site)
edit_plugins	yes	yes (single site)
edit_theme_options	yes	yes
edit_themes	yes	yes (single site)
edit_users	yes	yes (single site)
export	yes	yes
import	yes	yes
install_plugins	yes	yes (single site)
install_themes	yes	yes (single site)
install_languages (WP 4.9)	yes	yes (single site)
update_languages (WP 4.9)	yes	yes (single site)
list_users	yes	yes
manage_options	yes	yes
promote_users	yes	yes
remove_users	yes	yes
switch_themes	yes	yes
update_core	yes	yes (single site)
update_plugins	yes	yes (single site)
update_themes	yes	yes (single site)
edit_dashboard	yes	yes
Capability	Super Admin	Admin	Editor	Author	Contributor	Subscriber
unfiltered_html	yes	yes (single site)	yes (single site)
moderate_comments	yes	yes	yes
manage_categories	yes	yes	yes
manage_links	yes	yes	yes
edit_others_posts	yes	yes	yes
edit_pages	yes	yes	yes
edit_others_pages	yes	yes	yes
edit_published_pages	yes	yes	yes
publish_pages	yes	yes	yes
delete_pages	yes	yes	yes
delete_others_pages	yes	yes	yes
delete_published_pages	yes	yes	yes
delete_others_posts	yes	yes	yes
delete_private_posts	yes	yes	yes
edit_private_posts	yes	yes	yes
read_private_posts	yes	yes	yes
delete_private_pages	yes	yes	yes
edit_private_pages	yes	yes	yes
read_private_pages	yes	yes	yes
Capability	Super Admin	Admin	Editor	Author	Contributor	Subscriber
edit_published_posts	yes	yes	yes	yes
upload_files	yes	yes	yes	yes
publish_posts	yes	yes	yes	yes
delete_published_posts	yes	yes	yes	yes
edit_posts	yes	yes	yes	yes	yes
delete_posts	yes	yes	yes	yes	yes
read	yes	yes	yes	yes	yes	yes

More details here

Meta capabilities

Above is a list of primitive capabilities, but there are also meta capabilities – they have additional parameters, for example edit_post (the capability to edit the specified post) need ID of the post:

if( current_user_can('edit_post', 123) ) {
	 echo 'Current user can edit post 123'.
}

The list of meta-capabilities:

delete_user
edit_user
remove_user
promote_user
delete_post
delete_page
edit_post
edit_page
edit_comment
read_post
read_page

edit_term                   — WP 4.7.
delete_term                 — WP 4.7 —
assign_term                 — WP 4.7 —
activate_plugin             — WP 4.9 — current_user_can( 'activate_plugin', 'my-plugin/my-plugin.php' )
deactivate_plugin           — WP 4.9 — current_user_can( 'deactivate_plugin', 'my-plugin/my-plugin.php' )

export_others_personal_data — WP 4.9.6 — is_multisite() ? 'manage_network' : 'manage_options'
erase_others_personal_data  — WP 4.9.6 — is_multisite() ? 'manage_network' : 'manage_options'
manage_privacy_options      — WP 4.9.6 — is_multisite() ? 'manage_network' : 'manage_options'

Learn more about meta-capabilities here: map_meta_cap()

Examples

#1 Whether a user is an administrator

if( current_user_can('manage_options') ){
	echo "The user can manage options!";
}

#2 Use `user_can()` to check the capabilities of the current user

global $user;
if( user_can($user->ID, 'manage_options') ){
	// do something
};

manage_options - administrator's capibility

#3 Using `$object_id`

if( current_user_can('edit_post', 123) ) {
	 echo 'Current user can edit post 123'.
}

#4 Check the capability for specific taxonomy item

Since 4.7 you can check the capabilities for specific terms using edit_term, delete_term, assign_term.

This example displays a link for editing term item only if the user has specific capability:

if( current_user_can('edit_term', $term_id) ){
	echo '<a href="'. get_edit_term_link( $term_id ) .'">Edit.</a>';
}

Verify the role of the current user

Don't pass the name of the role to this function because the verification may work incorrectly. An example of how not to do it:

// if the current user is editor, the function returns:
current_user_can('administrator') // false
current_user_can('editor') // true
current_user_can('contributor') // false
current_user_can('subscriber') // false

Instead, you can use:

#1 First function

/**
 * Checks the role of a specific user.
 *
 * @param string $role Name of the role.
 * @param bool $user_id (optional) User ID to check the role against.
 * @return bool
 */
function is_user_role( $role, $user_id = null ) {
	$user = is_numeric( $user_id ) ? get_userdata( $user_id ) : wp_get_current_user();

	if( ! $user )
		return false;

	return in_array( $role, (array) $user->roles );
}

// Using for the current user
if( is_user_role( 'customer' ) )
	echo "Yeap";
else
	echo "Nope";

// Using for the specific user.
$user_id = 23;

if ( is_user_role( 'customer', $user_id ) )
	echo "Yeap";
else
	echo "Nope";

#2 Second function

I wrote this function in the process of working on one of the projects, now I use it periodically:

## Checks if the specified role is in the roles of the current (or specified) user
## $roles string/array - name of the role to check the user against
function is_user_role_in( $roles, $user = false ){
	if( ! $user )           $user = wp_get_current_user();
	if( is_numeric($user) ) $user = get_userdata( $user );

	if( empty($user->ID) )
		return false;

	foreach( (array) $roles as $role )
		if( isset($user->caps[ $role ]) || in_array($role, $user->roles) )
			return true;

	return false;
}

// Examples of usage
if( is_user_role_in(['new_role','new_role2']) )
	echo 'The current user has role "new_role" or "new_role2"';

if( is_user_role_in(['new_role','new_role2'], 5) )
	echo 'User 5 has role "new_role" or "new_role2"';

Notes

See: WP_User::has_cap()
See: map_meta_cap()

Changelog

Since 2.0.0

Introduced.

Code of current user can: `wp-includes/capabilities.php` ^{WP 5.2.2}

<?php
function current_user_can( $capability ) {
	$current_user = wp_get_current_user();

	if ( empty( $current_user ) ) {
		return false;
	}

	$args = array_slice( func_get_args(), 1 );
	$args = array_merge( array( $capability ), $args );

	return call_user_func_array( array( $current_user, 'has_cap' ), $args );
}

Related Functions

From tag: Roles capabilities

More from tag: Users (_user)

vladlu 100 — vlad.lu

Editors: kama 100