Support » Plugins » Hacks » Do I need to check if User has required capability?

  • Resolved Val

    (@vlbooth)


    #newbie #firstplugin #forgivemeplease

    The plugin I am (trying) writing inserts custom text into the footer of twentyeleven.

    My first question is, do I need to check if a User has the required capability since add_submenu_page takes manage_options as a parameter?

    //  Add this plugin to the Admin Navigation Menu ( register the function )
            add_action('admin_menu', 'register_my_plugin_submenu_page');   
    
    //  Create a function that contains the admin menu-building code
    //  This adds the plugin to the Admin Navigation Menu
            function register_my_plugin_submenu_page() {
            // Create Plugins submenu item
                    add_submenu_page(
                            'plugins.php',
                            'TnT Custom Text Configuration',
                            'TnT Custom Text',
                            'manage_options',
                            'tnt-custom-text',
                            'create_the_admin_html_output');
                    }

    And if I do need to check User Capability, is this the “best” way to do it?

    // Create the function the displays the HTML for the plugin submenu in the Admin panel
    		function create_the_admin_html_output() {
    
    //must check that the user has the required capability
        if (!current_user_can('manage_options'))
        {
          wp_die( __('You do not have sufficient permissions to access this page.') );
        }
    .
    .
    .
    }

    Thank you for any help!

    [No bumping, thank you.]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    You still need to verify capability, your function has to be responsible for it’s own security. The sub menu function uses capability only to determine if it should display your menu. Even if there is no way to run your function without the menu displayed, it’s just good security practice.

    If your capability check killing the process does what you need, then it’s the best way. If you need to continue the process for some reason, it’s a terrible way.

    Thread Starter Val

    (@vlbooth)

    Thank you! The was the direction I needed to take the next step.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Do I need to check if User has required capability?’ is closed to new replies.