Title: Not Allowed when using current_user_can Last modified: October 15, 2016 --- # Not Allowed when using current_user_can * [rexgoode](https://wordpress.org/support/users/rexgoode/) * (@rexgoode) * [9 years, 8 months ago](https://wordpress.org/support/topic/not-allowed-when-using-current_user_can/) * I’m creating a plugin. * I’m using AJAX for administrative tasks and most of the plugin is handled in a PHP class. * Everything so far is working well. It only takes one line to break the whole thing and give me a blank window with only “Sorry, you are not allowed to access this page” showing. * That one thing is to add this line. * `$hasAuthority = current_user_can("edit_posts");` * The following are all pieces of evidence: - It isn’t just current_user_can. I get the same error if I try to use wp_verify_nonce() also. - This is only a problem when it happens in a function that is part of the class. If I put the same line in a function that isn’t part of the class, it has no problem. - I am on a network. The plugin is Network Activated. I’m testing the plugin in the main site of the network. * - This topic was modified 9 years, 8 months ago by [rexgoode](https://wordpress.org/support/users/rexgoode/). Reason: Typo Viewing 3 replies - 1 through 3 (of 3 total) * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [9 years, 8 months ago](https://wordpress.org/support/topic/not-allowed-when-using-current_user_can/#post-8306352) * The difference between procedural and OOP is probably related to variable scope, but that’s a false clue I think. The real issue is probably the resource you’re accessing is doing it’s own capability check and what ever you do isn’t going to override that. Or it may be the resource simply won’t allow access the way you’re doing it. It’s difficult to say without seeing what you’re trying to do. * Are you at least sending your AJAX requests through wp-admin/admin-ajax.php? This is required in order to access WP resources. You cannot include your way around this. * Assuming you’ve done that part right, if possible, please provide the relevant code you’re having trouble with. If you can’t reduce the relevant portion to a reasonably sized snippet, please post it at pastebin.com and provide the link here. When you post your code there, try to remember to select the proper syntax highlighting… it makes reading code much easier 🙂 * Thread Starter [rexgoode](https://wordpress.org/support/users/rexgoode/) * (@rexgoode) * [9 years, 8 months ago](https://wordpress.org/support/topic/not-allowed-when-using-current_user_can/#post-8306650) * Thanks for the reply, [@bcworkz](https://wordpress.org/support/users/bcworkz/). Yes, I do go through admin-ajax.php. * Here’s an attempt at showing the code, leaving out things I’m pretty sure are irrelevant for brevity’s sake. From the php that handles the class: * ``` if (!class_exists("ivevents")) { class ivevents { var $dbVersion = "0.0"; ... various class attributes public function ivevents() { // constructor ... constructor-like stuff } function ivevents_request() { // $hasAuthority = current_user_can("edit_posts"); // if (wp_verify_nonce($nonce, "ivev_general_nonce")) { if (isset($_REQUEST['ivevaction'])) { switch($_REQUEST['ivevaction']) { case 'action': $success = TRUE; $result = array("sample" => "return data"); $ret = array("success" => $success, "data" => $result); header("Content-type: application/json"); echo json_encode( $ret ); exit; break; case 'Cancel': default: break; } } // } } ... ``` * In the main php file: * ``` include_once( ABSPATH . 'wp-admin/includes/plugin.php' ); function ivevents_enqueuer() { ... set up CSS $regscript = wp_register_script( "iveventsscript", plugins_url("ivevents/ivevents.js"), array('jquery') ); wp_localize_script('iveventsscript', 'IVEventsAjax', array( 'ajaxurl' => admin_url( 'admin-ajax.php'), 'ivev_nonce' => wp_create_nonce('ivev_general_nonce' ))); wp_enqueue_script( 'iveventsscript'); } add_action( 'wp_enqueue_scripts', 'ivevents_enqueuer' ); add_action( 'admin_enqueue_scripts', 'ivevents_enqueuer' ); $adminurl = get_option('siteurl').'/wp-admin'; $sep = (strpos(__FILE__,'/')===false)?'\\':'/'; $WPpluggable = substr( dirname(__FILE__),0,strpos(dirname(__FILE__),'wp-content')) . 'wp-includes'.$sep.'pluggable.php'; if ( file_exists($WPpluggable) ) require_once($WPpluggable); include("classes/events.php"); if (class_exists("ivevents")) { $ivev = new ivevents(); } // Create an object of type ivevents if (isset($ivev)) { add_action( 'wp_ajax_ivevaction', array($ivev, 'ivevents_request')); } ``` * Rex * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [9 years, 8 months ago](https://wordpress.org/support/topic/not-allowed-when-using-current_user_can/#post-8311031) * Thanks for posting that information. Unfortunately, I’m not seeing what the problem could be. What’s odd is it appears your AJAX callback has nothing to to with accessing other pages. My best guess is relevant user cookie data is not being sent by the browser due to some security restriction related to Network installations, causing both the check user capability function to fail and the page access check to fail as well. * But then the call to is_user_logged_in() in admin-ajax.php apparently works otherwise your AJAX callback would never be called. Not to mention that the procedural version works. My best guess is not a very good guess I suppose 🙁 Have you tried your plugin in a non-network installation? If it’s strictly a network issue, you could try presenting your issue in the Multisite forum where the Network experts will more likely see your post. I cannot claim to be such an expert. * It might help if you can track down where the page access error is coming from and what condition is triggering it. * Not that it’ll help with the page access restriction, but I do see an issue with your nonce check which should be addressed. The actual nonce value is not assigned to $nonce, so the check will always fail. In any case, you should use check_ajax_referer() to check nonces sent with AJAX where you can specify the proper key with which to get the nonce value from $_REQUEST. * I’m sorry I couldn’t help more. I wish you luck in tracking this down. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Not Allowed when using current_user_can’ is closed to new replies. * In: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/) * 3 replies * 2 participants * Last reply from: [bcworkz](https://wordpress.org/support/users/bcworkz/) * Last activity: [9 years, 8 months ago](https://wordpress.org/support/topic/not-allowed-when-using-current_user_can/#post-8311031) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics