Roles and Capabilities

wordpress.org.cn

Description

WordPress uses a concept of Roles, designed to give the blog owner the ability to control and assign what users can and cannot do in the blog. A blog owner can manage and allow access to such functions as writing and editing posts, creating Pages, defining links, creating categories, moderating comments, managing plugins, managing themes, and managing other users. The tool that gives the blog owner this control is the ability to assign a Role to a user.

WordPress has five pre-defined Roles: Administrator, Editor, Author, Contributor and Subscriber. Each Role is allowed to perform a set of tasks called Capabilities. There are many Capabilities including publish_posts, moderate_comments, and edit_users. The default Capabilities are pre-assigned to each Role.

The Administrator Role is allowed to perform all possible Capabilities. Each of the other Roles has a decreasing number of allowed Capabilities. For instance, the Subscriber Role has just the read Capability. One particular Role should not be considered to be senior to another Role. Rather, consider that Roles define the user's responsibilities within the blog.

The WordPress Plugin API allows Roles and Capabilities to be added, removed and changed. Since Plugins might change Roles and Capabilities, just the default ones are addressed in this article.

Summary of Roles

• Administrator - Somebody who has access to all the administration features
• Editor - Somebody who can publish and manage posts and pages as well as manage other users' posts, etc.
• Author - Somebody who can publish and manage their own posts
• Contributor - Somebody who can write and manage their posts but not publish them
• Subscriber - Somebody who can only manage their profile

Upon installing WordPress, an Administrator account with all Capabilities is automatically created.

The default role for new users can be set from the Settings General SubPanel.

Roles

A Role defines the set of tasks a user is allowed to perform. For instance, the role of Administrator encompasses every possible task that can be performed within a WordPress blog. On the other hand, the Author role allows the execution of just a small subset of tasks.

The following sections list the default Roles and their Capabilities:

New with 3.0

These need to be researched and added to the appropriate section, and the documentation updated to incorporate Multisite, and super admin.

• update_core
• list_users
• remove_users
• add_users
• promote_users
• delete_themes
• export

Administrator

• activate_plugins
• create_users
• delete_others_pages
• delete_others_posts
• delete_pages
• delete_plugins
• delete_posts
• delete_private_pages
• delete_private_posts
• delete_published_pages
• delete_published_posts
• delete_users
• edit_dashboard
• edit_files
• edit_others_pages
• edit_others_posts
• edit_pages
• edit_plugins
• edit_posts
• edit_private_pages
• edit_private_posts
• edit_published_pages
• edit_published_posts
• edit_themes
• edit_theme_options
• edit_users
• import
• install_plugins
• install_themes
• manage_categories
• manage_links
• manage_options
• moderate_comments
• publish_pages
• publish_posts
• read
• read_private_pages
• read_private_posts
• switch_themes
• unfiltered_html
• unfiltered_upload
• update_plugins
• update_themes
• upload_files

Editor

• delete_others_pages
• delete_others_posts
• delete_pages
• delete_posts
• delete_private_pages
• delete_private_posts
• delete_published_pages
• delete_published_posts
• edit_others_pages
• edit_others_posts
• edit_pages
• edit_posts
• edit_private_pages
• edit_private_posts
• edit_published_pages
• edit_published_posts
• manage_categories
• manage_links
• moderate_comments
• publish_pages
• publish_posts
• read
• read_private_pages
• read_private_posts
• unfiltered_html
• upload_files

Author

• delete_posts
• delete_published_posts
• edit_posts
• edit_published_posts
• publish_posts
• read
• upload_files

Contributor

• delete_posts
• edit_posts
• read

Subscriber

• read

Capability vs. Role Table

Capabilities

switch_themes

• Since 2.0
• Allows access to Administration Panel options:
  • Appearance
  • Appearance Themes

edit_themes

• Since 2.0
• Allows access to Appearance Theme Editor to edit theme files.

edit_theme_options

• Since 3.0
• Allows access to Administration Panel options:
  • Appearance Background
  • Appearance Header
  • Appearance Menus
  • Appearance Widgets
  • Also allows access to Theme Options pages if they are included in the Theme

install_themes

• Since 2.0
• Allows access to Administration Panel options:
  • Appearance Add New Themes

activate_plugins

• Since 2.0
• Allows access to Administration Panel options:
  • Plugins

edit_plugins

• Since 2.0
• Allows access to Administration Panel options:
  • Plugins Plugin Editor

install_plugins

• Since 2.0
• Allows access to Administration Panel options:
  • Plugins Add New

edit_users

• Since 2.0
• Allows access to Administration Panel options:
  • Users

edit_files

• Since 2.0
• Note: No longer used.

manage_options

• Since 2.0
• Allows access to Administration Panel options:
  • Settings General
  • Settings Writing
  • Settings Reading
  • Settings Discussion
  • Settings Permalinks
  • Settings Miscellaneous

moderate_comments

• Since 2.0
• Allows users to moderate comments from the Comments SubPanel (although a user needs the edit_posts Capability in order to access this)

manage_categories

• Since 2.0
• Allows access to Administration Panel options:
  • Posts Categories
  • Links Categories

manage_links

• Since 2.0
• Allows access to Administration Panel options:
  • Links
  • Links Add New

upload_files

• Since 2.0
• Allows access to Administration Panel options:
  • Media
  • Media Add New

import

• Since 2.0
• Allows access to Administration Panel options:
  • Tools Import
  • Tools Export

unfiltered_html

• Since 2.0
• Allows user to post HTML markup or even JavaScript code in pages, posts, and comments.
• Note: Enabling this option for untrusted users may result in their posting malicious or poorly formatted code.

edit_posts

• Since 2.0
• Allows access to Administration Panel options:
  • Posts
  • Posts Add New
  • Comments
  • Comments Awaiting Moderation

edit_others_posts

• Since 2.0
• Allows access to Administration Panel options:
  • Manage Comments (Lets user delete and edit every comment, see edit_posts above)
• user can edit other users' posts through function get_others_drafts()
• user can see other users' images in inline-uploading [no? see inline-uploading.php]
• See Exceptions

edit_published_posts

• Since 2.0
• User can edit their published posts. This capability is off by default.
• The core checks the capability edit_posts, but on demand this check is changed to edit_published_posts.
• If you don't want a user to be able edit his published posts, remove this capability. (see also this comment on the Role Manager Plugin Homepage).

publish_posts

• Since 2.0
• See and use the publish button when editing their post (otherwise they can only save drafts)
• Can use XML-RPC to publish (otherwise they get a Sorry, you can not post on this weblog or category.)

edit_pages

• Since 2.0
• Allows access to Administration Panel options:
  • Pages
  • Pages Add New

read

• Since 2.0
• Allows access to Administration Panel options:
  • Dashboard
  • Users Your Profile
• Used nowhere in the core code except the menu.php

edit_others_pages

• Since 2.1

edit_published_pages

• Since 2.1

edit_published_pages

• Since 2.1

delete_pages

• Since 2.1

delete_others_pages

• Since 2.1

delete_published_pages

• Since 2.1

delete_posts

• Since 2.1

delete_others_posts

• Since 2.1

delete_published_posts

• Since 2.1

delete_private_posts

• Since 2.1

edit_private_posts

• Since 2.1

read_private_posts

• Since 2.1

delete_private_pages

• Since 2.1

edit_private_pages

• Since 2.1

read_private_pages

• Since 2.1

delete_users

• Since 2.1

create_users

• Since 2.1

unfiltered_upload

• Since 2.3

edit_dashboard

• Since 2.5

update_plugins

• Since 2.6

delete_plugins

• Since 2.6

update_core

• Since 3.0

list_users

• Since 3.0

remove_users

• Since 3.0

add_users

• Since 3.0

promote_users

• Since 3.0

delete_themes

• Since 3.0

export

• Since 3.0

User Levels

Prior to version 2.0, WordPress used a user level system. This was replaced in version 2.0 with the much improved and more extensible Roles and Capabilities system you see today. To maintain backwards compatibility with plugins that still use the user levels system (although this is very much discouraged), the default Roles in WordPress also include Capabilities that correspond to these levels. User Levels were finaly deprecated in version 3.0.

User Level to Role Conversion

• User Level 0 converts to Subscriber
• User Level 1 converts to Contributor
• User Level 2 converts to Author
• User Level 3 converts to Author
• User Level 4 converts to Author
• User Level 5 converts to Editor
• User Level 6 converts to Editor
• User Level 7 converts to Editor
• User Level 8 converts to Administrator
• User Level 9 converts to Administrator
• User Level 10 converts to Administrator

Resources

• Members Plugin
• Role Scoper Plugin
• Capability Manager Plugin
• User Access Manager
• Ryan Boren's What's New in 2.0: Roles and Capabilities
• Hackers email list Original User Capability discussion
• Ultimate Guide to Roles and Capabilities in WordPress Plugins and Themes