WordPress - User Capabilities Tables

WordPress provides Roles and Capabilities that are used to control access and abilities on a group or per user basis.

A comboBox on the edit user page allows each user to be assigned to a single, pre-defined role. However, tools (web pages) to develop custom roles or to assign specific capabilities to a single user are not provided.

Design Problems | Admin Menus | Capabilities and Roles - Sorted by Type and Version

Design Problems

The following sections simply present the data without comment. However, in WordPress 2.8, there appear to be 2 serious implementation errors that open the system to possible problems.

Specifically, the read capability is required for users to edit their profiles and to control the admin menu display as either icons (which frequently fails to work correctly) or as words. Unfortunately, this capability also allows any logged in user to access the Dashboard (which has its own capability) and to update the software (a major security problem).

Admin Menus

The admin menus displayed depend on the user capabilities. In general, these make sense. However, in the case of read, there is a major design error. The users are not able to edit their own profiles (including changing passwords) unless they also have the ability to destroy the system configuration via the Tools menu option. Either Users or Profile will be displayed, but not both.

Capabilities and Roles (Sorted by Type)

Capabilities and Roles (Sorted by Version)

Author: Robert Clemenzi
URL: http:// mc-computing.com / ISPs / WordPress / User_Capabilities_Tables.html