WordPress 2.0 transitioned from a simple (but rather cryptic) user level system to a roles/capabilities model. In this new model, capabilities are granted to roles, and users are members of roles. Additionally, capabilities can be granted directly to a user. It’s extendable, flexible, and customizable.
There’s one problem, plugin authors who were used to restricting administration of their plugin to users of levels 8 and 9 have no idea what to do now that roles and capabilities are being used.
Some people are tempted to add their own special capability to the “administrator” role. This is a mistake! The “Administrator” role, while created by default, is not special. It is no different than any other role. You cannot assume that it even exists, or, if it does, that users with that role are the highest “level” of user. The names of the roles are meaningless. What matters is their capabilities… what they are allowed to do.
Other people might use the capability, but not add it to any existing users or roles (there is not yet a way of “registering” new capabilities). Unfortunately (in my mind), role management is not yet built in to WordPress, so for users to give that capability to their users, they’ll have to use a third party plugin. Only one exists that I know of, and it is not yet feature complete… using one particular unfinished feature can screw up your install pretty badly.
So right now, the best option is to tie your plugin to an existing capability. How you do this will depend on the plugin… obviously something related to posting could be tied to the edit_posts capability. But most authentication is used for the options page. The capability that you want to use is called manage_options. This is the closest thing to the old method of using level 8 as the minimum level. Basically, if someone can manage_options, they’re in control of the blog.
My advice on this might change eventually as role management plugins improve and an easy way of registering new capabilities is added to WordPress, but for the time being, this is the way to go.
<?php if ( current_user_can('manage_options') ) { do_something(); } ?>
Mark on WordPress 
I came across this when looking at the
current_userglobal variable. I have tried to document the current_user_can function.niiiice. thanks for this. I was having trouble disallowing users from adding pages with Role Manager. I used this little snippet to hide the menu option. pretty hacky on my part but I’m no pro.
Thanks for the idea. I have roles that should only be able to view specific pages and this idea definitely helps me.
Thanks again.
Thanks Mark, this helps somewhat, but how do you find out the capabilities of *other* users, not just the current user? For example, if I wanted to list all users who had the ‘publish posts’ capability, the current_user_can function doesn’t help me.
Well I’ve come up with something that serves my needs, though I’d still like to know if there’s a better way:
$user = get_userdata($user_id);
if($user->user_level) {
echo $user->user_login;
}
That echos everybody except “subscribers”.
Nice
Just want to thank u for the tip – it also work in wordpress 2.3
Hi Mark, many thanks for this. Very useful.
I have just implemented that on my website for disabling google analytics. As I seem to surf my pages quite often :), that distorts the direct traffic stats.
google analytics code goes here
THanks for the tip, I’ll try it on WPMU and report back, looks like it should work ok.
really helpful, was looking a way to hide the ads to be shown when i visit the site myself 🙂
hi, in this page (http://codex.wordpress.org/Editing_wp-config.php#Save_queries_for_analysis) I found this sample:
if (current_user_can(‘administrator’)){
…
}
Excellent post, was looking for a better way than checking userlevels in WordPress. This was the first page I checked out. Seems to work well.
Thanks!
Thanks for this Mark. I keep using this as a reference. Any chance there will be an update in a future version with a function like is_user_role(‘admistrator’) or something of the like? Thx!
Never too late for: Thank you, sir!
I’m using the following code to check if the current user should be allowed to see my plugin admin page. It seems to work fine until I try to access a page with a variable in the URL ( admin.php?page=manage-links?link_id=$link_id ), then it kicks the “You do not have…” message. Can you tell me why? By the way, this is my first WP plugin, so please be gentle!
if (!current_user_can(‘manage_options’)) {
wp_die( __(‘You do not have sufficient permissions to access this page.’) );
}
Mary B.
Never mind, it seems I’ve been looking at code too long today. I found my basic syntax error in the URL.
Could I just add a note here? I agree that
manage_optionsis a good choice for checking for admins. Some plugin authors useedit_plugins, which will have the same effect in most instances. However, if, like me, you set theDISALLOW_FILE_EDITconstant in wp-config.php (to globally disable theme and plugin editing), that capability gets ditched, and suddenly you can’t access some plugin settings.I think sometimes it’s not as simple as people making a bad arbitrary choice of an “admin” capability. Maybe there’s a misunderstanding that
edit_pluginsis seen as referring to “changing stuff to do with a plugin”, e.g. editing their settings – when actually it refers to editing the plugin PHP files via the admin UI. Hopefully plugin authors can switch tomanage_options!How could I let user access a page only if he has author privilege?
I am looking to build a page for front-end publishing to be accessible to anyone login with the privilege of author.
Thanks for helping.