Codex

Codex Resources

Roles and Capabilities

The WordPress Roles feature is designed to give the blog owner the ability to control and assign what users can and cannot do in the blog. A blog owner must manage and allow access to such functions as writing and editing Posts, creating Pages, defining Links, creating Categories, moderating Comments, managing Plugins, managing Themes, and managing other users. The tool that gives the blog owner that control is the ability to assign a Role to a user.

Contents

WordPress Version 2.0

WordPress Version 2.0 introduces the concept of Roles. The WordPress distribution comes delivered 'standard' with five pre-defined Roles: Administrator, Editor, Author, Contributor, and Subscriber. Each Role is allowed to perform a set of tasks called Capabilities. There are thirty Capabilities including publish_posts, moderate_comments, and edit_users. The Capabilities are pre-assigned to each Role.

The Administrator Role is allowed to perform all possible Capabilities. Each of the other Roles has a decreasing number of allowed Capabilities. For instance, the Subscriber Role is allowed just the read and level_0. One particular Role should not be considered to be 'senior to' another Role. Rather, consider that Roles define the user's responsibilities within the blog.

Plugin developers will likely revise the 'standard' Roles and Capabilities because WordPress Developers left open the future possibility of assigning a user to one or more Roles, or assigning Capabilities directly to a User. Since Plugins might change Roles and Capabilities, just the 'standard' Roles and Capabilities are addressed in this article.

Super Powers for Blog Owner

The person with the most important Role is that of blog owner. Typically, the blog owner is the person responsibile for maintaining and backing up the WordPress MySQL database as well as managing the WordPress repository of files (programs, scripts, plugins, themes, images, uploads). Ultimately, the smooth operation of a blog depends on the blog owner fulfilling this 'ultimate role'. Note: The blog owner, in many cases, also acts the Role of Administrator but may choose to assign other users the Administrator Role.

Summary of Roles

  • Administrator - Somebody who has access to all the administration features
  • Editor - Somebody who can publish posts, manage posts as well as manage other people's posts, etc.
  • Author - Somebody who can publish and manage their own posts
  • Contributor - Somebody who can write and manage their posts but not publish posts
  • Subscriber - Somebody who can read comments/comment/receive news letters, etc.

Roles

The identity a particular user assumes in a blog is called their Role. A Role essentially describes the set of tasks, called Capabilities, a person is allowed to perform. For instance, the role of Administrator encompasses every possible task that can be performed within a WordPress blog. On the other hand, the Author Role allows the execution of just a small subset of Capabilities.

WordPress 2.0 simplifies the User Level approach of WordPress 1.5 by rolling up adjacent levels with similar permissions into logical, named roles. For example, Level 0 is now assigned to the Subscriber Role, while Levels 5 and 6 together make up the Editor role.

Administrator

Role Name: Administrator

Capabilities:

Editor

Role Name: Editor

Capabilities:

Author

Role Name: Author

Capabilities:

Contributor

Role Name Contributor

Capabilities:

Subscriber

Role Name: Subscriber

Capabilities:

Capability vs. Role Table

Capabilityadmineditorauthorcontributorsubscriber
switch_themes
edit_themes
activate_plugins
edit_plugins
edit_users
edit_files
manage_options
import
unfiltered_upload
edit_dashboard
update_plugins
delete_plugins
moderate_comments
manage_categories
manage_links
unfiltered_html
edit_published_posts
edit_others_posts
edit_pages
delete_users
create_users
edit_others_pages
edit_published_pages
publish_pages
delete_pages
delete_others_pages
delete_published_pages
delete_others_posts
delete_private_posts
edit_private_posts
read_private_posts
delete_private_pages
edit_private_pages
read_private_pages
upload_files
publish_posts
delete_published_posts
edit_posts
delete_posts
read
 
level_10
level_9
level_8
level_7
level_6
level_5
level_4
level_3
level_2
level_1
level_0

Capabilities

switch_themes

Allows access to Administration Panel options:

  • Design
  • Design > Themes
  • Design > Widgets

edit_themes

Allows access to Administration Panel options:

  • Design > Theme Editor
  • Design > Current Theme Options

activate_plugins

Allows access to Administration Panel options:

edit_plugins

Allows access to Administration Panel options:

edit_users

Allows access to Administration Panel options:

edit_files

Allows access to Administration Panel options:

manage_options

Allows access to Administration Panel options:

  • Options > General
  • Options > Writing
  • Options > Reading
  • Options > Discussion
  • Options > Permalinks
  • Options > Miscellaneous

moderate_comments

Allows access to Administration Panel options:

  • Question: This is blank. I guess the User can accept and deny (= delete) a comment in moderation. Can he also delete other comments? Tordans 17:56, 8 Apr 2006 (GMT)

manage_categories

Allows access to Administration Panel options:

  • Manage > Categories

manage_links

Allows access to Administration Panel options:

  • Links
  • Links > Manage Links
  • Links > Add Link
  • Links > Link Categories
  • Links > Import Links

upload_files

Allows access to Administration Panel options:

  • Upload

import

Allows access to Administration Panel options:

  • Import

unfiltered_html

Allows user to post HTML markup or even Javascript code in pages, posts, and comments.

Note: Enabling this option for untrusted users may result in their posting malicious code to your blog.

edit_posts

Allows access to Administration Panel options:

  • Write
  • Write > Write Post
  • Manage
  • Manage > Posts
  • Manage > Comments -- The "show post", "edit post", "edit comment", and "delete comment" links are enabled only on own posts, since edit-comment.php looks for "current_user_can('edit_post', $comment->comment_post_ID)"'
  • Manage > Awaiting Moderation -- I think contributor can only see the menuitem since the capability "moderate_comments" is needed to view the comment list (see moderate.php). So you cannot even see your own posts comments in the moderation list?!

edit_others_posts

  • Manage > Comments -- Lets user delete and edit every comment (see edit_posts above)
  • user can edit other users' posts through function get_others_drafts()
  • user can see other users' images in inline-uploading [no? see inline-uploading.php]

edit_published_posts

User can edit his published posts. This capability is off by default. The core checks the capability edit_posts, but on demand this check is changed to edit_published_posts.
If you don't want a user to be able edit his published posts, remove this capability. (see also this comment on the Role Manager Plugin Homepage).

publish_posts

User can

  • see and choose the radiobox "publish" when writing a post
  • see and use the "publish" button below their post (otherwise they can only save drafts)
  • can use xmlrpc to publish (otherwise they get a "Sorry, you can not post on this weblog or category.")

edit_pages

Allows access to Administration Panel options:

  • Write > Write Page -- gives acces to "page-new.php"
  • Manage > Pages -- all users can view "/wp-admin/edit-pages.php" but only those here do see the link 'edit' and 'delete' in the table list.

As far as I see all editors can edit each others' pages. [[[User:Scoop0901|Dave J. (Scoop0901)]] 16:38, 30 Jan 2007 (UTC) fixed typo]

read

Allows access to Administration Panel options:

  • Dashboard
  • Your Profile

Used nowhere in the core code except the menu.php

edit_others_pages

Since 2.1

edit_published_pages

Since 2.1

edit_published_pages

Since 2.1

delete_pages

Since 2.1

delete_others_pages

Since 2.1

delete_published_pages

Since 2.1

delete_posts

Since 2.1

delete_others_posts

Since 2.1

delete_published_posts

Since 2.1

delete_private_posts

Since 2.1

edit_private_posts

Since 2.1

read_private_posts

Since 2.1

delete_private_pages

Since 2.1

edit_private_pages

Since 2.1

read_private_pages

Since 2.1

delete_users

Since 2.1

create_users

Since 2.1

unfiltered_upload

Since 2.3

edit_dashboard

Since 2.5

update_plugins

Since 2.6

delete_plugins

Since 2.6

level_10

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_9

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_8

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_7

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_6

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_5

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_4

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_3

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_2

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_1

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

level_0

Allows access to Administration Panel options:

  • Maintained for backward compatibility for Plugins

User Level to Role Conversion

Role to User Level Conversion

Subscriber Role

User Level 0

Contributor Role

User Level 1

Author Role

User Levels 2, 3, and 4

Editor Role

User Levels 5, 6, and 7

Administrator Role

User Level 8, 9, and 10

Resources

This article is marked as in need of editing. You can help Codex by editing it.

Retrieved from "http://codex.wordpress.org/Roles_and_Capabilities"