Capabilities concept is the most important part of the WordPress access management as it literally defines what user is authorized to do. The official WordPress documentation describes the capability as the permission to perform one or more type of tasks.
List of all standard capabilities in the WordPress core can be found in the Roles and Capabilities article.
Every authenticated user should have at least one capability either directly assigned or inherited from a parent role, otherwise user will not be able to perform any restricted tasks within the website.
While most of capabilities are self-explanatory based on its name (edit_posts, manage_options, remove_users etc.), there are still a lot of confusion associated with what they actually are responsible for and why even when user has a certain capability assigned, he still is not allowed to perform anticipated task.
There is no good answer to this question as a lot of core WordPress capabilities have exceptions. For example, when the website is multisite setup and user is not a super admin, then even if create_users capability is granted, user still will not be able to create new user; or manage_links capability will be ignored if link_manager_enabled option is turned off.
Based on the WordPress 4.9 version there are at least 65 exceptions defined in the core so do not hesitate to contact us if you have difficulties with managing capabilities.
All role-based capabilities are stored in the wp_options table with option name wp_user_roles while user-based capabilities are stored in the wp_usermeta table with meta key name wp_capabilities where wp_ prefix may vary based on the value in the global $table_prefix variable defined in the wp-config.php file.
The list of capabilities is the associated array where the element key is capability itself while element value is the rule that defines if capability is granted or denied (1 means that capability is granted while 0 – denied).
WordPress has the core current_user_can function that is used to check if currently logged in user has certain capability however the function triggers quite complex functionality that in some cases may return unexpected result.
Some capabilities have exceptions that are programmatically defined in the map_meta_cap function. Additionally any third-party solution can hook into the process with user_has_cap filter and overwrite the outcome.
The capability is considered as granted if the rule contains not empty value.
= How does the capability actually works? =
Capability itself is useless, unless, it is referenced in the code. Technically it means that in order for a capability to work, somewhere in the code, there should be a programmatic check if authenticated user has a specific capability or not. This is up to developer to define what part of the website is protected with what capability.
Not everything in the WordPress has associated capability. For example you will not find a capability that is responsible to show or hide post search above the backend list of posts or even capability that restrict access to the backend.
To learn how to restrict access to the entire backend area for authenticated users, check How to lockdown WordPress backend article.
Fortunately a lot of customization can be accomplished with native WordPress hooks but this requires custom development. For more information about the WordPress hooks check What is the WordPress hook article.
= Can I create a custom capability? =
Various plugins or themes add custom capabilities to the WordPress core either by storing them into the database or registering them dynamically during the website load. It is hard to tell which way is correct, however it is much harder to manage access to a website with dynamically added capabilities because only certain plugin or theme knows about them and controls when they are registered.
Dynamically added capabilities typically are registered with init hook by modifying the get_current_user()->allcaps public property.
With AAM plugin you have all necessary set of tool to manage access to your website capabilities for roles or even individual user. For more information about this, please refer to the How to manage WordPress capabilities article.
AAM supports several custom capabilities that you can create at any time on the Capabilities tab.
- show_screen_options show or hide the Screen Options button on the top right corner of the backend pages;
- show_help_tabs show or hide the Help button on the top right corner of the backend pages;
- show_admin_bar show or hide the admin bar on the frontend for the authenticated users;
- access_dashboard allow or deny access to the website backend;
- show_admin_notices show or hide all admin notifications;
Additionally there few more custom capabilities that are available with Plus Package extension and are related to the backend comment management.
- moderate_comments allow or deny user to moderate comments;
- delete_comment allow or deny user to delete comments;
- approve_comment allow or deny user to approve pending comments;
- edit_comment allow or deny user to edit single comment;
- spam_comment allow or deny user to mark comment as a spam;
- reply_comment allow or deny user to apply to a comment;
- trash_comment allow or deny user to trash a comment;
- unapprove_comment allow or deny user to revert comment approval;
- untrash_comment allow or deny user to restored comment from the trash;
- unspam_comment allow or deny user to revert accidentally marked comment as a spam.