I recently announced my intention of creating a user/role/capability management plugin for WordPress. One of the things I’ve noticed from the comments on that post is that people don’t understand exactly how the WordPress role and capability system work. Since I’m developing a plugin based on that system, I feel it’s my responsibility to explain how it all fits together.
What I’m proposing in this post is not something new to the WordPress world. I’m not creating new ideas with my upcoming plugin. This is how it works in WordPress. The plugin will just put a face to these ideas.
If you do not grasp this concept, you won’t understand the inherent limitations of the plugin nor the features of it.
What are users?
For the sake of thoroughness (even though you probably understand this), users are people that have registered on your site. They have a user account. Users, in this context, are not people who have visited your site or someone that leaves a comment.
Being a registered user doesn’t mean anything though. Users are given context through a role. Roles define each user’s place on the site.
What are roles?
Roles are a way of grouping users. By default, WordPress gives you several roles to work with:
- Administrator
- Editor
- Author
- Contributor
- Subscriber
These are all pretty straightforward. Average Joe shouldn’t have much trouble figuring out what roles can do certain things. But, let me present what’s really going on here.
There are two important things you need to understand about roles in WordPress before moving forward:
- Roles are not hierarchical.
- Roles have no meaning without capabilities.
Many of you might want to argue with that first point. You might want to say that “administrator” is a higher level than “subscriber.” But, that’s not entirely true. It’s the wrong way to look at how roles work. The default administrator role simply has more capabilities. You could give the default subscriber role more capabilities than the administrator (if you wanted to).
If you learn nothing else from this post, remember this — roles are defined by what capabilities they are granted. There is no hierarchy.
What are capabilities?
This is the real beauty of how the system works. Capabilities are permissions. They’re a way of saying a role can or can’t do something.
Capabilities are given to roles. So, users of a certain role are limited by that role’s capabilities.
For example, the administrator role (by default) is granted the capability of edit_themes. You don’t get to edit your theme because you’re an administrator. You are allowed to edit your theme because your role (administrator) has the capability of edit_themes. If you took away that capability, you would no longer be able to edit your theme in the WordPress admin, no matter how important you think your role is.
Putting it all together
Here’s the short and simple version of this concept:
- Users are people that have registered on your site.
- Each user is given a role on your site.
- Each role is given a set of capabilities (i.e., permissions) that grant/restrict their access.
Why is all this important?
It’s important to understand how the platform you’re using works. I was amazed at the number of comments I recieved that focused on a hierarchical role system, which is not how WordPress works.
That’s the thing that troubles me the most. If people are going to be using a plugin that extends the current role and capability system, they must understand how things work.
A sneak-peek at the plugin
Since many of you have been patiently awaiting news on this plugin and have read through this post, it’s only fair that I offer you a little teaser. This preview is of the Edit Roles component, which is one of several components I’m building into the plugin:
For those of you interested in beta testing the plugin, look for a blog post later this week. The plugin is coming along quite nicely.
I saw your tweets and felt bad (I hate when that happens) so I thought that I better read your article after all your hard work. And guess what – another lesson learned. Thanks for the info. It is usually d.o. who does this stuff for our site and he raves about you. Like he says, the elements that set your service apart from the rest is trust, and that you are a natural born teacher. Thanks for what you do – Rachel from hypyklrz.
I have been used role manager plugin for wordpress 2.7.1 and capability manager for 2.8.4. And I just satisfied. But I can’t wait to try your plugin, your plugin feature look more promising…
Well stated Justin and will save you from explaining after the plugin release. The screenshot looks great!
I’m definitely looking forward to the plugin. Having a visual representation of what each user can and can’t do will be extremely useful.
Thanks for the informative post and for the upcoming plugin!
Screenshot looks fantastic and I’m very happy to see capability “moderate comments” there, which if I’m not wrong Role Manager doesn’t have, and that one is actually the most important to me.
I think you may have stressed the idea that roles are not hierarchical a bit too much. The distinction you’re making is that roles are not inherently hierarchical, but can be made so in the way that you define their capabilities. In actual practice, a set of roles and capabilities that are not somewhat hierarchical makes little sense to me. In fact, they are somewhat hierarchical by default in WordPress. On the other hand, a purely hierarchical set is not useful in most cases either.
Rachel Rock — I managed to recover most of the original post. Well, at least the parts I could remember. Thanks for stopping by.
8207h32 — The plugin I’m developing will definitely be on a different path. I hate to even call it just a user/role/capability management plugin. The plan is to go far beyond that.
Adam W. Warner — Those are my thoughts exactly. After reading the previous comments, I knew there’d be a lot more questions and feature suggestions that didn’t take into account how the system works. Now, I’ll just be able to point people to this post.
John Hawkins — That would be really cool. If no one else does it and I can manage to find the time, I’ll put it together.
David — The
moderate_commentscapability is not something added by the plugin. It’s a WordPress capability that’s added by default.Carson Sasser — And, one more time for good measure — Roles are not hierarchical.
Thanks for this explannation.
But, what is the difference with this plugin: Role Manager :
http://www.im-web-gefunden.de/wordpress-plugins/role-manager/
And I have another question:
How can we display the role name of the comment author on his comment??
NotAlame — Role Manager is only a role management plugin (plus it’s lacking any serious development these days). Role management is just one component of my upcoming plugin.
For your second question, you should stop by the WordPress support forums.
Thanks for your quick answer…
For your futur plugin, I hope it don’t use a big amount of memory because I have memory_limit=24M on my hosting (I’m using wordpress 2.6.5)
And for my question… I asked 2 times but no one answered me…
I made researches and only found how to display it for author POSTs…
Sounds to me like the makings of an extremely useful and popular plugin. Good work Justin!
@Carson Sasser: I don’t think the point being stressed is that Roles can be made to be “non-hierarchical.” The point is that they are not hierarchical, e.g. that the Admin role need not always inherit the capabilities of the other roles. The Roles/Capabilities chart in the codex ( http://codex.wordpress.org/Roles_and_Capabilities#Capability_vs._Role_Table ) does not make this point clear, which may be causing some of the confusion Justin is addressing.
And Justin, I look forward to eventually creating little demon_eaters on my site, with the capability to eat_demons!
Thanks for this Justing. It’s now clear
Now that I digged in to codex and find out what each capability does, your plugin will be rocking this side of Wordpress.
Happy to be an alpha/beta tester. You have my email.
Cheers,
Joaquín.-
I have to admit i was one of those idiots that didn’t know how the WordPress role and capability system work. I now know thanks! And thanks for putting it in words anyone could understand.
It’sjvery similar to Capability Manager by Jordi Canals. You can see it at http://alkivia.org/wordpress/capsman/
It’s an awsome plugin to manage capabilities.
NotAlame — I try to keep the memory usage down as much as possible. That’s with any plugin though. I can tell you it won’t work with a version of WordPress as old as 2.6.5. I would recommend upgrading as soon as possible.
Xavier — Thanks. I hope it turns out well.
Dan Clark — I see you understand quite perfectly the point of the post.
I’m bored with the demon eaters though. During today’s testing, I’ve been creating various fruits with capabilities such as
tastes_goodandgrows_with_sunlight.Joaquin — The beta testing phase will begin later this week, so be on the lookout for a new post.
Deb — I’m glad I could be of service. Many folks don’t really understand how it works, so you’re not alone.
Fape — Without you actually seeing my upcoming plugin, it’s hard to understand how you’d be able to make such a statement. A single part of my plugin will, yes, allow you to manage a role’s capabilities, but that’s only one component.
When my plugin’s released, feel free to compare/contrast it with any other plugin you wish.
Justin excuse me, I’m not saying that it’s the same thing just that is very similar in some functions. Perhaps it’s because my english is very poor (I’m speaker spanish). Again, excuse me! I follow your job and use some of your plugins in my sites and think that you do an amazing job sharing your knowledge.
Sounds to me like the makings of an extremely useful and popular plugin. Good work Justin! keep it up.
Hi Justin,
Is it possible to use this plugin for creating something like in this scenario:
All Commenters need to register ( it is already set in WP Settings)
So, once someone registers he will be able to comment. After sometime the commenter feels to delete his comment so he logs back in and must be able to just delete his own comment only.
I hope you can look into this
Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.
Looking good Justin. Based on your thoroughness and recent screenshot, I’m eagerly anticipating this plugin.
Thanks!
Definitely learnt something new today, thank you
Found out about your post on WLTC (Jeff’s post) and rushed over to learn about this concept in plain English. Spot on. Looking forward to the plugin as well!
Hey Justin, is there any system that will buzz us by email when your plugin will be out??
Sounds like you’re working on something that will be in the core WP 2.9 release: http://www.wptavern.com/forum/general-wordpress/699-new-way-doing-user-roles-capabilities.html
Fape — Sorry, I didn’t mean to come off as rude, but re-reading my previous comment, I think I may have.
What I was getting to is that the plugin you mentioned and a single part of my upcoming plugin will be similar, but the plugins themselves will be vastly different.
Garry — Thanks. I hope it serves a large part of the community. It’s definitely the toughest thing I’ve worked on within WordPress.
HW — I’ll add that to my long list of possible features in the future. It’s not something I see as a priority right now, but I definitely see how it could be useful when running a community.
Dave — I’m just hoping I’m being thorough enough. It can get a little complicated making sure you’ve covered all your basis with something like this, but I’m hoping we can knock out anything I missed in the upcoming beta release.
Flick — I’m glad you picked up on some new WordPress knowledge. I’m here to serve.
NotAlame — Just subscribe to the feed (link near the top of the page). There should be an email option.
paperReduction — Not exactly. What’s happening in WordPress 2.9 is that they’re removing some of the user, role, and capability stuff, which makes for better scaling on larger sites. They’re not adding any sort of management for this.
users, roles and capabilities are well described here.
Looks very promising Justin! Currently I use Rolemanager on a couple of sites, but I’m scared by the lack of development and anxiously awaiting the day when an upgrade of wp breaks the plugin (and the whole site with that).
Your explanation of roles and capabilities was excellent. I’d love to hear more insight into exactly what capabilities are, how they are defined and created in wordpress itself, etc.
p.s. is my email address being shown when I fill it in here?
I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Thanks for sharing.
Ahh now i see. Thanks for the explanation.
Sounds quit nice. I want to install a wordpress-blog for the school of my children. But it is very difficult to handle all users and usertypes. Perhaps this plugin helps. Looking forward …
Greeting, Martin
In my opinion, Wordpress set out the rules with a hierarchical pattern, but not hard, they can be altered and lose this hierarchy.
Having the right tool the administrator can assign any way its capabilities.
The comment from Carson Sasser expressed practically my thoughts.
My hope is that your plugin adds the possibility of the administrator can choose your options, either hierarchical or not.
Use the Role Manager on some projects and need to determine access to specific categories.
I have a beta site, which I use for my tests, I think is productive can help you test your plugin.
I will waiting your plugins and make some review on WPGPL.com
It occurred to me, after reading the post about roles and capabilities that many games characters seemed to build on that premise. You pick a role (character) and you go about earning capabilities (a magic staff – more special powers – life etc.). Hey – it is just me spacing out.
Whether or not that is a relevant analogy – your explanation gave me a clear understanding and a better perspective.
Thanks
david c ballard
matthijs — There’s really not much more to tell about what capabilities are outside of what’s in the post. One could describe each default capability in WordPress in more detail, I suppose.
Your email address is kept private, by the way.
Martin — It should definitely help in controlling who can do what, especialy if you have multiple people creating content or need to restrict content.
Lauro Faria — The default roles in WordPress were created so that they represented a typical blog’s roles. Also, WordPress did have a hierarchical system before 2.0 (levels rather than capabilities).
That’s partially true. It has nothing to do with the “administrator” though. Whatever roles have the
edit_rolesandcreate_rolescapabilities will be able to assign capabilities.If the administrator role is given the proper capabilities with the plugin, it’ll allow administrator to control options.
WPGPL — Stay tuned. It should be available soon in beta form.
David C Ballard — Yes, you’ll find a similar system in many role-playing games. Heck, you could even turn a WordPress-powered site into one big game where people earn new capabilities through things like comments, length of time on the site, and so on.
Note: I do not speak English, then use the Google translator.
That said, reread any sentences.
The Wordpress was prepared to be a typical blog, but what makes it good is their ability to CMS that are many.
At this point, your plugin is very welcome.
The term administrator, you may not be appropriate. Then consider any User that can receive permission to use more advanced features and specific, without considering a “traditional hierarchy”.
Roles edit_roles and create_roles are still obscure to me. Especially with the right terms for each role.
As I read about your plugin, is mentioned on access to content. In my case, it is interesting also access the content of this generation. Especially being able to separate the access to certain categories (post).
Bom trabalho. (Good work.)
thanks, i can quote this article ?
Grrrr…I am a victim of “Paralysis from Analysis”.
It drives me crazy not to be able to perform a task because the information was uncovered in the beginning, or have to undue something because the particular application is not available with your version of the software. For example, when you have a great idea, and go to implement it, only to find out…Sorry that will not work, you do not have that capability.
My partner is setting up my personal blog, and asked me to pick out the theme for WordPress. Holly Mollies…That is unfair, especially, when suffering from paralysis by analysis. This is why I appreciated reading your post Justin. It helped with the bigger picture.
Every blog – blog post – radio show – social networking site – that we built or subscribed to, for the past five years, have all dealt with children, and their family’s safety online and offline.
I am attempting to write a book that I believe will be the contributing factors to help keep our children safe, and provide for a healthy and safe Internet; hence, my personal blog.
Justin, your comment, regarding an element of gaming is something I have considered, although more along the traditional board game, than the digital online concept. I hope that such a game would empower children, and their family’s better understand online and offline safety.
I would like to make the blog interactive using different mediums, allowing for the opinions of others, and possibly incorporating the game concept digitally.
Over the years, we have been approached to evaluate products and services, which we personally, as well as our company uses. The site would offer these same products to help fund the publishing of the book.
Currently the blog is set up on WP using Dream Theme – any suggestions as to the best bells and/or whistles, which will help for a smooth transition into the future would be greatly appreciated.
David
It’s very important to understand roles for users when incorporating user commenting and/or forums with your blog. You don’t want spammers to go wild. Great post!
estetik — You can quote any article from anywhere given proper attribution.
David C Ballard — I could definitely see how using the role/cap system could be beneficial to running a children’s site, especially one where restrictions need to be set firmly in place.
Christian Hollingsworth — Definitely. It’s all about restricting/granting access the way you want.
Good luck with the plugins! I like the permissions features you discuss in your article. I took a look a the screenshot and that is pretty detailed!
Thanks a bunch for this information, user roles have been somewhat confusing for me, I’ve got some clarity thanks to this post here. Thanks again.
Larry — Thanks. So far, the plugin is doing well.
Carmellita — I’m glad I got a chance to clarify a few things. I used to be totally confused about how the system worked too.
I have tested the post/page limitations and, not surprisingly, it works like a charm.
However, there is one thing that’s not as it should, i suppose. I know it’s much more difficult to achieve, but it would be nice if forbidden pages/posts wouldn’t appear in the list for the users who cannot view their contents.
It’s pretty annoying to see a large structure from which one can only access a small part. Also, one has to find out on a trial and error basis which are the sections of the site he can access and has to remember them.
I guess hiding forbidden pages/posts in: widgets, menus and admin area would make a big change for this plugin.
Is this achievable?
I’ll test it some more.
So far it’s pretty neat, like everything you do.
Good work.
Oops. Sorry. Meant to post the above on the members plugin page.
Although I am not running the plugin your basic outlining of users, roles ect was incredible. Such a simple explanation that I can show my Mom understand a little more. Thank you
Nice to see someone spending time on the more technical plugins, have taken up a few recommendations many, many thanks for your hard work. bp
Hi Justin, I just started using your plugin to solve an access problem with a community website I am building at http://camdenproducemarkets.com.au
I have to say it works a treat! You rock!
Thanks for creating this plugin .
Jim
I thought i might mention what you’re dealing with here is Access Control Theory. In which classically you have users, roles, and resources. WordPress implements this poorly in my opinion, as ‘capabilities’ is really a merger of roles and resources.
Users define who does something
Roles define what can be done (usually create, read, update, delete)
Resources define what things are affected.
You can see this in capabilities as delimited by the underscore ‘edit’ is the role ‘themes’ is the resource. I think eventually WordPress is going to have to tease these two apart if it wants to stay competitive in the CMS market
Hi Justin,
First of all, greetings for your great articles, you are very good teacher.
That said, i should ask you a question i’ve not seen resolved anyway.
Not hierarchical roles are more granular, but it could be very interested to make a role a inherits another role capabilities. I mean create a role by the sum of other roles (as group of capabilities).
Does it is possible any way? It is easy to do simple creating as much roles as needed, but in a site with multiple kind of memeberships, where every memberships lets or not a couple of capabilites, could be more comfortable to manage the always changing memberships and promotions (for example).
Was this plugin ever released?
Question about the plugin….
So when a “Member” logins in does it take them to the Dashboard? Or to the site itself ?
What I need is a plugin that will require a visitor to register and then they will have to login to see any content at all and then I need to be able to assign permission as to who can see what.
Will this plugin do that?
I digged in to codex and find out what each capability does, your plugin will be rocking this side of Wordpress.
nice work nice set of tutorials ,i like all of them..,thanks for share the knowledge and wish you good luck for future works..,thanks