Simplify access/user checks

Question

Simplify access/user checks

Opened this issue 7 years ago · 11 comments

Let's get rid of this monstrosity:

function rcCheckUser() {
	if ( current_user_can( 'read' ) ) {
		if ( current_user_can( 'edit_posts' ) ) {
			if ( current_user_can( 'upload_files' ) ) {
				if ( current_user_can( 'moderate_comments' ) ) {
					if ( current_user_can( 'switch_themes' ) ) {
						//do nothing here for admin
					} else {
						add_filter( 'the_content', 'rcMetaDisplayEditor' );
					}
				} else {
					add_filter( 'the_content', 'rcMetaDisplayAuthor' );
				}
			} else {
				add_filter( 'the_content', 'rcMetaDisplayContributor' );
			}
		} else {
			add_filter( 'the_content', 'rcMetaDisplaySubscriber' );
		}
	} else {
		add_filter( 'the_content', 'rcMetaDisplayNone' );
	}
}

add_action( 'loop_start', 'rcCheckUser' );

Answer 1 · 2017-04-20T10:53:01.000Z

I was planning on switching to just user_can() like we do in RCP, but the one thing about that change is it would remove the tiered system that's in place now (i.e. an "Author" can view "Contributor" and "Subscriber" content).

Answer 2 · 2017-04-20T14:56:58.000Z

The tier would still work I believe. user_can( 'Contributor )` evaluates as true for authors and higher.

Answer 3 · 2017-04-20T15:44:20.000Z

Nope. :( I thought it did too but I tried it earlier and it doesn't. For example, this returns false for an admin: user_can( get_current_user_id(), 'contributor' )

Answer 4 · 2017-04-20T20:52:41.000Z

That's sad!

Answer 5 · 2017-04-24T13:11:19.000Z

So is that something we want to preserve? It's not how it currently works in RCP and I did notice a few users thinking it was a bug. If we do want to preserve it we should probably at least clarify that's how it works on the restriction screen.

Answer 6 · 2017-04-24T17:51:44.000Z

How about not preserving and adding an upgrade path of some kind. I don't think this is something we'll ever be able to "not break" if we want to ever support it.

I propose we update it to use user_can() and, after installing the update, show the admin a notice with information about the change. It can link to a doc on how to update the content to work (or perhaps run an upgrade routine to update automatically).

Answer 7 · 2017-04-27T15:09:57.000Z

I like that idea 👍

Here's a PR I started with the new access checks: #12

Answer 8 · 2017-07-17T14:17:58.000Z

@nosegraze is this ready for testing?

Answer 9 · 2017-07-18T02:41:15.000Z

@mindctrl The restriction part is ready for a test. The PR doesn't yet have any kind of backwards compatibility or admin notice though.

Answer 10 · 2017-08-14T22:31:52.000Z

The restriction stuff is working great!

Answer 11 · 2017-09-15T15:06:28.000Z

Punting this to 2.3 to give a little more time for testing, the admin notice, and thoughts to back compat.