TL;DR
- Roles vs. Capabilities
- Creating Custom Roles
- Frequently Asked Questions
Roles vs. Capabilities
In WordPress, a **Role** is simply a name assigned to a collection of **Capabilities**. For example, the 'Editor' role is bestowed with capabilities like edit_others_posts and manage_categories. As a developer, you should always check for capabilities, not roles.
// DON'T check roles
if ( current_user_can('editor') ) { ... }
// DO check capabilities
if ( current_user_can('edit_others_posts') ) { ... }Creating Custom Roles
Need a 'Client' role that can only view private posts? You can easily create it using the add_role() function.
Quick Tip: Use the User Role Creator to build the exact code needed for your custom roles and capabilities.
Frequently Asked Questions
What is the difference between a role and a capability?
A role is a group of capabilities assigned to a user (e.g., 'Editor'). A capability is a specific action a user is allowed to perform (e.g., 'edit_posts'). Roles are just containers for these individual permissions.
How do I add a new capability to an existing role?
You can use the `get_role()` and `add_cap()` functions in PHP. For example: `get_role('editor')->add_cap('manage_special_settings');`. This change is persistent and stored in the database.
Can I hide admin menu items based on roles?
Yes, you can use the `remove_menu_page()` function hooked into `admin_menu`. However, this only hides the UI; you should always use `current_user_can()` to enforce actual security checks in your code.
Key Takeaways
- Roles vs. Capabilities: Practical action you can apply now.
- Creating Custom Roles: Practical action you can apply now.
- Frequently Asked Questions: Practical action you can apply now.