are capabilities additive with multiple roles?

  • Resolved holmegm

    (@holmegm)


    3 years, 10 months ago

    If a user has multiple roles, how are differences between the role capabilities handled?

    For example, a plugin called JS Help Desk has some custom capabilities, for example “jsst_support_ticket”. Let’s say we have two roles, “manager” and “employee”.

    “manager” role has “jsst_support_ticket” checked, and “employee” role does not.

    Managers are also employees. So a manager user has both roles, “manager” and “employee”. So which capability setting “wins”? Does the user have this “jsst_support_ticket” capability or not?

Viewing 1 replies (of 1 total)
  • Plugin Author Caseproof LLC

    (@caseproof)

    3 years, 10 months ago

    Hi @holmegm

    When assigning multiple roles to a single user that has a conflicting capability (e.g., granted publish_posts and denied published_posts cap), it’s best to enable the denied capabilities should always overrule granted capabilities via the Members Settings screen. This will consistently make sure that denied capabilities always overrule granted capabilities. With this setting disabled, WordPress will decide based on the last role given to the user, which can mean for extremely inconsistent behavior depending on the roles a user has.

    Best

Viewing 1 replies (of 1 total)

The topic ‘are capabilities additive with multiple roles?’ is closed to new replies.