 I think that was said as far as what I understood, but yeah, this talk is going to be in English Because I can't speak Dutch unfortunately, so I'm going to speak today about capabilities in WordPress and how to use capabilities if you're writing a plug-in or something like that and Have you ever asked yourself or have you ever had the point where example Wanted a year a client to be able to Do more to make to basically have the editor role in WordPress and be able to manage edit posts and that kind of stuff But maybe you also want them to edit the menu and the widgets But then you don't want to grant them all control about all parts of your website Like you don't want them to manage the site options Right now in WordPress. There's no role for that. You have administrator and editor But nothing in between so that's where capabilities come into play and And this talk is going to show you how to tweak that for example also Another example would be WooCommerce. Maybe you want somebody to only be available to change the Products but not the regular posts something like that So this is fairly some of this may be fairly complex but also because I need to go through it rather quickly so If some if at some point you get lost Sorry, but I will be here all day and we'll be happy to go through it in more detail and in later today So let's start So first of all definitions. What are capabilities actually? Capabilities in WordPress they describe tasks that a user can or cannot perform for example edit posts Is a capability can the user edit posts or can the user manage options in WordPress? Those are capabilities. They're Technically just strengths which yeah that describe what a user can or cannot do And then roles this is should be This should be fairly known roles are you for example administrator editor those are the roles and those roles Describe or define which capabilities a user has because every role includes certain capabilities And if a user has that role that user also has all these capabilities So these are examples again for some WordPress capabilities edit posts for example or upload files which Regulates access to the media library the manage categories manage options. Most of that is fairly self-explanatory However, you can also have custom capabilities and that's very important for plugins So let's imagine we will write a plugin that that has tutorial functionality and we call the plugin capability tutorials and This could be capabilities that this plugin could use for example to Control access to managing the tutorials When you see the ct in here ct underscore This is just because when you write a plug and make sure to prefix everything so that it doesn't conflict with WordPress core or other plugins So why should you even worry about capabilities? So first of all, there's security because you need to control access You don't grant you won't don't want to grant access to functionality to somebody who's not trusted enough, I guess to do that Then usability You don't want if you give every user the administrator role And there are many users that only need to edit posts It's not very user friendly for them to have 10 menu items when they only need two or something like that So you can control that with capabilities as well And then there's customizability, which is very important when you write especially when you write a public plugin that you want to publish on WordPress or org for example In that case You should it's you should handle capabilities in a way that other developers using your plugin for their custom setup Over or a client setup can tweak it so now um, how are The capabilities and roles stored now we get into technical details um So the available roles for a site so administrator editor and so on they are stored by default They are in the stored in the options database table as an area and the capabilities that are part of each role are also part of that area so um, this is basically a dump of all that data and uh So, um Now you see here the Subscriber role for example It only has the read capability and the contributor role has two more capabilities, but it also has the read capability So you may know in WordPress subscribers basically the lowest role and so and then comes contributor and so and and so on administrators and the highest role But technically roles in WordPress are not hierarchical um, they're just implemented that way because you could also have a role theoretically Imagine contributor didn't have the read capability and then it would mean They suddenly can do one thing that the subscriber can't do but then they about their subscriber can also do something that they can do so Just something to be aware of capabilities and roles don't need to be hierarchical Um, then the actual roles that a user has that those are stored in the user meta table for that specific user Um, they're stored as a serialized area as well. And um, this is In most of the cases it just looks like that. Um, for example, if if you're an editor, it would just have the editor role in there um But it's because of this isn't because this is an area. It's easily possible for WordPress to support multiple roles It is just functionality that is not exposed via UIs so but there are plugins that easily allow you to add and have multiple roles per user um And another thing is you can even add raw capability strings in there like you could have someone in that is an editor But can also manage options when you just put manage options in there so But this is a practice that's not recommended again, just something to know to be aware of So guidelines for plugin developers. Um, for now, I'm not going to talk about roles anymore. Um, What should be only important for you as a plugin developer is capabilities Um, then never add capabilities to the database unless you introduce an entirely new role Um, you don't you usually don't need to introduce a role That's mostly something that a custom setup should do and again use custom custom custom capabilities instead of existing core capabilities Because otherwise if you only use core capabilities, it's not possible to control access to your own fun plugins functionality You would always it would always also affect the same core area using those same capabilities So how do you actually do all these things? um, there's the most basic functionality here is the current user cam function where you pass in the string for example edit posts or manage options and Then you get a boolean back that says true or false the user can or cannot perform that action So you usually use these in if clauses then there's also The user can the user can function. It's a little less common But it's essentially exactly the same just for a specific user that may not be the current user You rarely use that because in most cases you just want to know for the current user But sometimes it may be handy to have Then capabilities itself again, they're either handled by WordPress or when they're custom you have to handle them And this is where it gets a little complex There are two types of capabilities in WordPress. We have primitive capabilities and meta capabilities So primitive capabilities, they are sort of the general capabilities like um, like the edit posts capability or they usually consist of a An action like a verb and a plural string um And they are granted via roll from the database or via the user has kept filter in this filter. I'll talk about in a bit And then we also have meta capabilities. Those are more specific capabilities that always Receive another argument. They're specific to a certain item For example, there's a single and as you can see those are in these examples here There are the same capabilities as the primitive capabilities, but with singular strings at the end so these capabilities are Basically check can the user edit one specific post or can the user activate one specific plugin um and And meta capabilities, they are not stored anywhere really They are all there's there has to be logic to map meta capabilities to primitive capabilities, which are required. For example Um, when you edit a post and you give the post ID like here, um, the WordPress will WordPress will check is this post by by written by someone else in that case You need to have the edit others posts capability Is that post private in that case? You'd also need to have edit private posts as a primitive capability And so basically all meta capabilities will be resolved to one or more primitive capabilities Activate plugins is a much simpler example, but you thought this will always just be resolved to activate plugins No complexity there Then we have two special capabilities There is the exist capability Which is so both of these are some kind of hack actually Exit if you to if you do current user can exist it will always return to so there's no point in doing that But these things are useful for mapping because maybe Maybe you want a specific capability in your probably something for custom setups Maybe you want to cast a cast of capability to be available to everyone Even a non locked in user and then you could resolve the map the meta capability to the exist capability Contrary if you if there are capabilities that you want nobody to do then you can resolve to do not allow so A bad example would be to Resolve the managed options capability to exist for example because you don't want every user to be able to manage your options um Again naming conventions like I already said mid-primitive capabilities should consist of verb and the plural string and This prim meta capabilities similar, but with a single string So how does this all work? What happens when you run current user can when you when you check for a capability? So WordPress will first check is this capability check for is it a meta capability? And if so it will map it to its require primitive capabilities Depending also also sometimes depending on the additional arguments you specify like in that example where the post site was passed Um, and there's a filter that meta kept executed that you can hook in as a plugin developer more on that in a bit um, then WordPress runs logic to Maybe alter the user's primitive capabilities from the database because again I said before you should not store your own capabilities in the database So this is where you can filter The the capabilities the user has And essentially after that The user the user now has to have all primitive capabilities that the meta meta cap process returned In order to proceed so if you um, if you do edit post The thing meta capability and the post is um private and by someone else You would need to have both the edit private posts and the edit others post capability Now we get to actual code um, so this plugin I talked about it actually exists as a small demo Capability tutorials it adds a very simple tutorial post type and a setting screen with some options to customize the behavior of the post type So this is the setting screen you see you can treat the rewrite slug so the slug that's in the url for each Tutorial and then there are which post which features should the post type support is kind of Not very user friendly, but it's just a demo so um So again checking for capabilities you do that with current user can And if you now want to add a menu page so add menu page and add sub menu page You may be familiar with these functions. You need those when you add a add any back any page to the wordpress admin Those are examples that actually require you to specify a capability like here. Um, I call it manage ct options So that's the custom capability for this specific setting screen and um WordPress will internally then use current user can to check that You can furthermore, um Red also give you use custom capabilities when you register a post type Um, this would go beyond the scope of this talk But the plugin that you can look at that it was that is linked here Um, it does that and it has I added a lot of comments on how this works So if you're interested, please have a look later um And then but we continue for now with the settings page So generally when you add fields to your settings page, you use these this settings api using the add settings field function So this is a valid example. I I don't say this is not bad, but you can do it better You could add capability checks for each singular option And this would descend this essentially allows to tweak very granular access You could say the user can access this option, but not the other two or something like that So we're here and those are meta capabilities So it's manage ct option and then the always and then the slack of the respective option is passed as argument So when you have these things in place and you go now go to your settings page You just see this Well, of course you now first you need to tell WordPress how to handle these capabilities Because you may checks, but you didn't actually implement how to handle them and for the granular capabilities For the for the primitive capabilities So that would be manage ct options when registering the options page. You can use the user has cap filter And this passes as the first argument That's the only one you need to actually worry about it passes all capabilities that the user has So if we want to very a very simple solution for your own plugin could be if the user has the manage options capability Simply also set the value for your own manage ct options capability to the same value So basically grant manage ct options if the user has manage options Again manage options would be a core capability. That's already in part of WordPress So after you've done that you can now access the options page, but it's empty Why that? You still need to map the meta capabilities that you added that were added for each individual field And for that you could use you can use the map meta cap filter and this one passes This one basically here the most important argument is the second one the cap This is the actual meta capability that was checked for And then if there if there's any particular arguments passed to the check those can be retrieved with the arcs parameter And then you have to resolve it. So a very simple solution here is check if Basically just do check for the if it's a manage ct option meta capability And simply resolve it to manage ct options And this will basically say every user can manage ct option By just having managed ct options. This is a very simple resolution, but And it and with just that way it wouldn't even be needed, but because of customizability I show you in a bit how that works It's very useful to do that and to have that granular management of capabilities So now you see All the settings and that's all fine for now So what's the benefit of all that again security usability and customizability and the key for is customizability to using the most granularly possible that most use capabilities the most granular as much granular as possible So an example of that Imagine we have our tutorial post type and the tutorial post type uses these capabilities and we handle them in our user with the user has cap filter now someone else using your plugin again in your plugin you should always use a very simple fallback solution, but then Someone else could unhook your own user has cap filter So that would then mean that nobody has these capabilities But then they could introduce a role that only had that actually has these capabilities as primitive capabilities that are stored in the database um, and that for example, there are plugins that do that like just as you as a SEO manager or WooCommerce as a shop vendor or something like that um But generally this is mostly something that is relevant to either very large plugins or custom setups um another example is Let's say we want if you are in a multi site We don't want anyone to edit the rewrite slack option from our small plugin Except the super admin. So that's the network administrator of the entire multi site In that case, we could tweak the metacap check and we could add um We could basically see if there is the current uh, is the current capability checked the managed ct option capability If so, we also check is the past argument the ct rewrite slack option because this was the option That that we want to basically restrict and in that case we also add managed network options as a required primitive capability And this capability is only the only the network administrator has that capability. So now You can only do this if you have both the managed ct options and the managed network options capability So at this point only network administrator has access And this would look like this if you access the page now as a regular admin You still see the other two options, but not this one You would still see you would only see the rewrite slack if you access that screen as the network administrator so this maybe I hope this was not too heavy, but um, I'm happy to answer questions and even afterwards I'm happy to chat about this and uh, please have a look at the plugin And that's it for me from now. Thank you philx Well, like you said, are there any questions? Let me just before I would just put on further slides So this has some further resources if you're interested. You can look at those links. I will also post the slides online later. So But now any questions? Yeah, what is your most favorite plugin? Yeah, uh, the question is what is your most favorite plugin for, um, organizing Roles and capabilities So you you gave a good talk on how you can do this While creating a plugin while developing a plugin, but as a Builder of websites, I'm interested in learning what Could be a good plugin to to manage roles and to check capabilities because that's something where we struggle It's the second bullet on this slide that that's uh, that gives a good Comment, I think because WordPress isn't very good at having these these things and this is a total mess for our customers They are confronted with a lot of, um Drag on the screen a lot of things that they don't want to see So I'm looking for a good tip on a plugin to organize that Um, so yeah, the one problem is in fact that WordPress itself Some at some points doesn't use capabilities as granular as it should So there are tons of tickets to work to be worked on. Um, but yeah, it's not there yet. So um, for example, it's very it's very challenging to Uh, have someone not not be able to switch to themes but still be able to customize or something like that Yeah, that's that's a that's a pain right now. I know that um regarding plugins I I have to say since I since I usually I usually develop or implement that um custom in custom ways, but um, I know there are I know there's one very particular plugin that you could probably find So the problem is What exactly are you do you want to accomplish for example? So you can have so one thing to that's very useful is to allow multiple roles um to have multiple to allow multiple roles and there is Certainly a plugin which I'm I'm right now don't know the name But it is but when you look for a plug in multiple roles, you basically find one that is state-of-the-art basically um I will I will check with you later. Yeah. Yeah, sure Any any any other questions seems like that is Um, thank you. Yeah. Thank you. So applause please