wp_create_user doesn't seem to require create_user capability??

  • Resolved ecat

    (@ecat)


    11 years ago

    I am building a site which is composed of many chapters (clubs). The requirement is that the chapter president be able to create and manage users for his chapter but not for other chapters. Initially, I thought I would have to go to multisite WP for this, with the club presidents admins for each blog within the multisite. But then I tried wp_create_user and wp_delete user in a plugin for an author user who does not have create_user or delete_user capability (as confirmed with the members plugin). Assuming this works, as it seems to, I can easily do everything in a regular WP install with a custom plugin, which will be much simpler to maintain than the multisite. But since I am building the whole design on this assumption, I want to confirm that I am not missing something that will bite me later, or possibly in another version of WP, or have somehow convinced myself that it is true when it isn’t. Has it always been this way?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    Yes, all core functions essentially run under Admin capabilities in a sense. Developers are expected to write code that checks actual user capabilities where appropriate. Still, you will find WP functions that check capabilities, these are more like template tags that consolidate a particular set of core functions to preform a specific task.

    I know that’s not a very specific definition, the line between core functions and template tags can get rather fuzzy. Let’s just say that if you use a function that does not check capability, you should be asking yourself if you, as a developer, should be checking it.

    I see no problem with your plan as long as you take proper measures such that no one can do anything they shouldn’t be able to do as envisioned by your site’s design.

    Thread Starter ecat

    (@ecat)

    Thank you for the explanation, which does make sense. I am checking the capabilities before running the function.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘wp_create_user doesn't seem to require create_user capability??’ is closed to new replies.