0
0
WordpressHow-ToBeginner · 3 min read

How to Use current_user_can in WordPress for Permission Checks

Use current_user_can in WordPress to check if the logged-in user has a specific capability or role before allowing actions. It returns true if the user has the capability, otherwise false. This helps control access to admin features or content.
📐

Syntax

The current_user_can function takes one required parameter: a capability string that represents the permission you want to check. It returns a boolean value indicating if the current user has that capability.

  • capability: A string like 'edit_posts', 'manage_options', or a custom capability.
php
current_user_can( string $capability ) : bool
💻

Example

This example shows how to check if the current user can edit posts before displaying an edit link. If the user lacks permission, the link won't show.

php
<?php
if ( current_user_can( 'edit_posts' ) ) {
    echo '<a href="/wp-admin/post.php?post=123&action=edit">Edit this post</a>';
} else {
    echo 'You do not have permission to edit posts.';
}
?>
Output
If user can edit posts: <a href="/wp-admin/post.php?post=123&action=edit">Edit this post</a> If not: You do not have permission to edit posts.
⚠️

Common Pitfalls

Common mistakes include:

  • Using current_user_can outside of a logged-in context, which always returns false.
  • Checking roles instead of capabilities; current_user_can checks capabilities, not roles.
  • Passing incorrect capability names or typos.
  • Not considering that some capabilities are mapped to multiple roles.

Always verify the capability name and ensure the user is logged in before checking.

php
<?php
// Wrong: Checking role name instead of capability
if ( current_user_can( 'administrator' ) ) {
    echo 'You are an admin';
}

// Right: Check a capability that admins have
if ( current_user_can( 'manage_options' ) ) {
    echo 'You have admin capabilities';
}
?>
📊

Quick Reference

CapabilityDescriptionCommon Roles
edit_postsAllows editing postsAuthor, Editor, Administrator
publish_postsAllows publishing postsAuthor, Editor, Administrator
manage_optionsAllows managing site optionsAdministrator
edit_usersAllows editing usersAdministrator
delete_postsAllows deleting postsAuthor, Editor, Administrator

Key Takeaways

Use current_user_can to check user capabilities, not roles.
Always pass a valid capability string to current_user_can.
current_user_can returns false if no user is logged in.
Use capability checks to control access to admin features or content.
Avoid checking roles directly; rely on capabilities for permission logic.

Related by keyword

WordPress.com vs WordPress.org: Key Differences and When to Use EachGetting StartedHow to Install WordPress: Step-by-Step Guide for BeginnersGetting StartedHow to Install WordPress Locally: Step-by-Step GuideGetting StartedHow to Install WordPress on Hosting: Step-by-Step GuideGetting StartedHow to Login to WordPress Admin: Simple StepsGetting Started

Up next

How to Use WP_Query in WordPress: Syntax and ExamplesWP_Query vs get_posts in WordPress: Key Differences and UsageHow to Add Menu Page in Admin in WordPress EasilyHow to Add Submenu Page in WordPress Admin Quickly

More in Users and Roles

How to Add Custom Capability in WordPress EasilyHow to Change User Role in WordPress Quickly and SafelyHow to Create Custom User Role in WordPress EasilyHow to Create a User in WordPress: Step-by-Step Guide