WordPress at a glance

current_user_can() WP 2.0.0

Whether the current user has a specific capability.

This function should be used after the plugins_loaded action. By default WordPress setups current user on the init hook.

Use user_can() to check the capabilities of the specified user.

Is the basis for: get_edit_post_link()
Works based on: WP_User::has_cap()
✈ 1 time = 0.00088s = slow | 50000 times = 0.86s = very fast | PHP 7.1.11, WP 4.9.5

No Hooks.

Return

true/false. Whether the current user has the given capability. If $capability is a meta cap and $object_id is passed, whether the current user has the given meta capability for the given object.

Usage

current_user_can( $capability );
$capability(string) (required)
Capability name. See here for the list of roles and capabilities.
$object_id(int) (required)

ID of the specific object to check against if $capability is a "meta" cap.

"Meta" capabilities, e.g. 'edit_post', 'edit_user', etc., are capabilities used by map_meta_cap() to map to other "primitive" capabilities, e.g. 'edit_posts', 'edit_others_posts', etc. Accessed via func_get_args() and passed to WP_User::has_cap(), then map_meta_cap().

Basic capabilities

Capability Super Admin Admin Editor Author Contributor Subscriber
setup_network (WP 4.8) yes
upgrade_network (WP 4.8) yes
manage_network yes
manage_sites yes
manage_network_users yes
manage_network_plugins yes
manage_network_themes yes
manage_network_options yes
Capability Super Admin Admin Editor Author Contributor Subscriber
activate_plugins yes yes (single site or enabled by network setting)
deactivate_plugins (WP 4.9) yes yes
create_users yes yes (single site)
delete_plugins yes yes (single site)
delete_themes yes yes (single site)
delete_users yes yes (single site)
edit_files yes yes (single site)
edit_plugins yes yes (single site)
edit_theme_options yes yes
edit_themes yes yes (single site)
edit_users yes yes (single site)
export yes yes
import yes yes
install_plugins yes yes (single site)
install_themes yes yes (single site)
install_languages (WP 4.9) yes yes (single site)
update_languages (WP 4.9) yes yes (single site)
list_users yes yes
manage_options yes yes
promote_users yes yes
remove_users yes yes
switch_themes yes yes
update_core yes yes (single site)
update_plugins yes yes (single site)
update_themes yes yes (single site)
edit_dashboard yes yes
Capability Super Admin Admin Editor Author Contributor Subscriber
unfiltered_html yes yes (single site) yes (single site)
moderate_comments yes yes yes
manage_categories yes yes yes
manage_links yes yes yes
edit_others_posts yes yes yes
edit_pages yes yes yes
edit_others_pages yes yes yes
edit_published_pages yes yes yes
publish_pages yes yes yes
delete_pages yes yes yes
delete_others_pages yes yes yes
delete_published_pages yes yes yes
delete_others_posts yes yes yes
delete_private_posts yes yes yes
edit_private_posts yes yes yes
read_private_posts yes yes yes
delete_private_pages yes yes yes
edit_private_pages yes yes yes
read_private_pages yes yes yes
Capability Super Admin Admin Editor Author Contributor Subscriber
edit_published_posts yes yes yes yes
upload_files yes yes yes yes
publish_posts yes yes yes yes
delete_published_posts yes yes yes yes
edit_posts yes yes yes yes yes
delete_posts yes yes yes yes yes
read yes yes yes yes yes yes

More details here

menu

Meta capabilities

Above is a list of primitive capabilities, but there are also meta capabilities – they have additional parameters, for example edit_post (the capability to edit the specified post) need ID of the post:

if( current_user_can('edit_post', 123) ) {
	 echo 'Current user can edit post 123'.
}

The list of meta-capabilities:

delete_user
edit_user
remove_user
promote_user
delete_post
delete_page
edit_post
edit_page
edit_comment
read_post
read_page

edit_term                   — WP 4.7.
delete_term                 — WP 4.7 —
assign_term                 — WP 4.7 —
activate_plugin             — WP 4.9 — current_user_can( 'activate_plugin', 'my-plugin/my-plugin.php' )
deactivate_plugin           — WP 4.9 — current_user_can( 'deactivate_plugin', 'my-plugin/my-plugin.php' )

export_others_personal_data — WP 4.9.6 — is_multisite() ? 'manage_network' : 'manage_options'
erase_others_personal_data  — WP 4.9.6 — is_multisite() ? 'manage_network' : 'manage_options'
manage_privacy_options      — WP 4.9.6 — is_multisite() ? 'manage_network' : 'manage_options'

Learn more about meta-capabilities here: map_meta_cap()

menu

Examples

#1 Whether a user is an administrator

if( current_user_can('manage_options') ){
	echo "The user can manage options!";
}

#2 Use user_can() to check the capabilities of the current user

global $user;
if( user_can($user->ID, 'manage_options') ){
	// do something
};

manage_options - administrator's capibility

#3 Using $object_id

if( current_user_can('edit_post', 123) ) {
	 echo 'Current user can edit post 123'.
}

#4 Check the capability for specific taxonomy item

Since 4.7 you can check the capabilities for specific terms using edit_term, delete_term, assign_term.

This example displays a link for editing term item only if the user has specific capability:

if( current_user_can('edit_term', $term_id) ){
	echo '<a href="'. get_edit_term_link( $term_id ) .'">Edit.</a>';
}

Verify the role of the current user

Don't pass the name of the role to this function because the verification may work incorrectly. An example of how not to do it:

// if the current user is editor, the function returns:
current_user_can('administrator') // false
current_user_can('editor') // true
current_user_can('contributor') // false
current_user_can('subscriber') // false

Instead, you can use:

#1 First function

/**
 * Checks the role of a specific user.
 *
 * @param string $role Name of the role.
 * @param bool $user_id (optional) User ID to check the role against.
 * @return bool
 */
function is_user_role( $role, $user_id = null ) {
	$user = is_numeric( $user_id ) ? get_userdata( $user_id ) : wp_get_current_user();

	if( ! $user )
		return false;

	return in_array( $role, (array) $user->roles );
}

// Using for the current user
if( is_user_role( 'customer' ) )
	echo "Yeap";
else
	echo "Nope";

// Using for the specific user.
$user_id = 23;

if ( is_user_role( 'customer', $user_id ) )
	echo "Yeap";
else
	echo "Nope";

#2 Second function

I wrote this function in the process of working on one of the projects, now I use it periodically:

## Checks if the specified role is in the roles of the current (or specified) user
## $roles string/array - name of the role to check the user against
function is_user_role_in( $roles, $user = false ){
	if( ! $user )           $user = wp_get_current_user();
	if( is_numeric($user) ) $user = get_userdata( $user );

	if( empty($user->ID) )
		return false;

	foreach( (array) $roles as $role )
		if( isset($user->caps[ $role ]) || in_array($role, $user->roles) )
			return true;

	return false;
}

// Examples of usage
if( is_user_role_in(['new_role','new_role2']) )
	echo 'The current user has role "new_role" or "new_role2"';

if( is_user_role_in(['new_role','new_role2'], 5) )
	echo 'User 5 has role "new_role" or "new_role2"';

Code of current user can: wp-includes/capabilities.php VER 5.1.1

<?php
function current_user_can( $capability ) {
	$current_user = wp_get_current_user();

	if ( empty( $current_user ) ) {
		return false;
	}

	$args = array_slice( func_get_args(), 1 );
	$args = array_merge( array( $capability ), $args );

	return call_user_func_array( array( $current_user, 'has_cap' ), $args );
}

Related Functions

From tag: Roles capabilities

More from tag: Site security (safety)

More from tag: Users (_user)

No comments
    Hello, !     Log In . Register