When developing WordPress sites, we inevitably deal with WordPress user data, especially when developing a WordPress frontend user center. We need to know if a user has permission to perform certain actions to provide sufficient security guarantees for the user.
Several built-in helper functions in WordPress can help us easily determine a user’s status, permissions, and more. We’ve organized these functions and formed this article.
Determine if User is Logged In: is_user_logged_in
The usage of this function is very simple, and its function is also quite pure: to determine if a user has logged into the site. It doesn’t require parameters; if the user is logged in, it returns true, and if not, it returns false.
Determine if User is a Super Administrator: is_super_admin
This function can accept a user ID as a parameter. If this parameter is not set, its value defaults to the current logged-in user’s ID.
In single-site mode, this function determines if a user is an administrator.
If the user being checked is a super administrator or administrator, it returns true; otherwise, it returns false.
is_admin is used to determine if the user is on a backend page. Don’t confuse them.Determine What a User Can Do: user_can
This function requires two parameters: the first is a user ID or user object, and the second is a capability name or role name. If the user possesses that capability or role, it returns true; otherwise, it returns false.
Determine What the Current User Can Do: current_user_can
This function can be said to be a shorthand, enhanced version of the function above. It omits the user ID parameter at the front and adds an optional object_id parameter for checking custom permissions for a specific object. We don’t use this parameter much; if needed, please refer to the official current_user_can documentation.
Determine What the Current User Can Do on a Certain Site: current_user_can_for_blog
This function is a multi-site customized version of the current_user_can function. In multi-site mode, it checks if a user has permissions for a specific site, but omits the rarely-used object_id parameter. This function also accepts two parameters: the first is the blog ID, and the second is the capability or role name.
Determine What the Author of an Article Can Do: author_can
Similar to the user_can function, the difference is that first parameter of this function is a post ID or object, rather than a user, saving us the step of fetching the post’s author. The second parameter remains the role or capability name.
Origin of User Check Functions in WordPress
After seeing so many check functions, some people might not be able to help but complain that WordPress is really troublesome, needing to remember so many functions just to check a user’s permissions. In fact, if they can look at the source code of these functions, they’ll find that the code finally executed for user permission checks through these functions is actually only one: WP_User::has_cap. These functions are just convenient shortcut helper functions created by the WordPress development team for our ease of use.
