Checking role names instead of capabilities:
- Breaks with custom roles - Your check won't work
- Not flexible - Can't grant capability to other roles
- Against WordPress philosophy - Capabilities are the API
- Maintenance nightmare - Must update everywhere for new roles
// WRONG: Checking role name
if ( in_array( 'administrator', $user->roles ) ) {
delete_posts();
}Problems:
- Doesn't work with custom roles
- What about shop_manager, editor, custom roles?
- Must change code to add new roles
// CORRECT: Check capability
if ( current_user_can( 'delete_posts' ) ) {
delete_posts();
}Benefits:
- Works with ANY role that has the capability
- Add capability to any role via admin
- WordPress's intended API
// WRONG: Checks if on admin page, NOT user role!
if ( is_admin() ) { }
// RIGHT: Check capability
if ( current_user_can( 'manage_options' ) ) { }// WRONG
if ( in_array( 'editor', $user->roles ) ) { }
// RIGHT
if ( current_user_can( 'edit_others_posts' ) ) { }// WRONG: General capability
if ( current_user_can('edit_posts' ) ) {
wp_update_post( $post_id ); // Can they edit THIS post?
}
// RIGHT: Object-specific
if ( current_user_can( 'edit_post', $post_id ) ) {
wp_update_post( $post_id );
}manage_options- Site settingsedit_posts- Edit own postsedit_others_posts- Edit others' postspublish_posts- Publish postsdelete_posts- Delete own postsdelete_others_posts- Delete others' postsedit_users- Edit usersdelete_users- Delete usersmanage_categories- Manage categories
✅ Check capabilities, not roles
✅ Use object-specific checks (edit_post, $post_id)
✅ Check BEFORE every sensitive action
✅ Use current_user_can() consistently
✅ Register custom capabilities properly
❌ Don't check role names
❌ Don't use is_admin() for permissions
❌ Don't skip permission checks
❌ Don't use deprecated user levels