0
0
Wordpressframework~10 mins

User capability checks in Wordpress - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - User capability checks
Start: User requests action
Check user logged in?
NoDeny access or redirect
Yes
Check user capability with current_user_can()
Allow action
End
This flow shows how WordPress checks if a user is logged in and has the right capability before allowing an action.
Execution Sample
Wordpress
<?php
if ( is_user_logged_in() && current_user_can('edit_posts') ) {
  echo 'You can edit posts.';
} else {
  echo 'Access denied.';
}
?>
This code checks if the user is logged in and can edit posts and shows a message accordingly.
Execution Table
StepActionEvaluationResult
1Check if user is logged inUser logged in = trueProceed to capability check
2Call current_user_can('edit_posts')User has 'edit_posts' capability = trueAllow action
3Execute echo 'You can edit posts.'Output messageMessage shown to user
4EndNo more codeExecution stops
💡 Execution stops after showing message based on capability check
Variable Tracker
VariableStartAfter Step 1After Step 2Final
user_logged_inunknowntruetruetrue
user_can_edit_postsunknownunknowntruetrue
output_messageemptyempty'You can edit posts.''You can edit posts.'
Key Moments - 2 Insights
Why does the code check if the user is logged in before checking capabilities?
Because capabilities only apply to logged-in users. The execution_table row 1 shows the login check before capability check.
What happens if current_user_can() returns false?
The else branch runs, showing 'Access denied.' as in the execution_table rows 2 and 3 if the condition was false.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the value of user_can_edit_posts at Step 2?
Afalse
Btrue
Cunknown
Dnull
💡 Hint
Check the variable_tracker row for user_can_edit_posts at After Step 2
At which step does the code decide to show 'You can edit posts.'?
AStep 3
BStep 2
CStep 1
DStep 4
💡 Hint
Look at execution_table row 3 where echo is executed
If the user was not logged in, what would happen according to the concept_flow?
AShow 'You can edit posts.' message
BAllow action anyway
CDeny access or redirect
DSkip capability check and continue
💡 Hint
See concept_flow step after 'Check user logged in?' with No branch
Concept Snapshot
Use current_user_can('capability') to check if a logged-in user has permission.
Always check if user is logged in before capability.
If check passes, allow action; else deny or show error.
Common capabilities: 'edit_posts', 'publish_posts', 'manage_options'.
This protects sensitive actions from unauthorized users.
Full Transcript
This lesson shows how WordPress checks if a user can do something using user capability checks. First, WordPress checks if the user is logged in. If not, it denies access or redirects. If logged in, it uses current_user_can() to check if the user has the needed capability, like 'edit_posts'. If yes, the action is allowed and a message is shown. If no, access is denied. The example code checks if the user can edit posts and shows a message accordingly. Variables like user_logged_in and user_can_edit_posts track the state. Key points include always checking login before capabilities and handling both allowed and denied cases. The quizzes test understanding of variable values at steps and flow decisions. This helps keep WordPress sites secure by controlling user permissions carefully.