A little look into how WordPress handles user roles

Over the last few days I have been looking into the user roles you can assign people to in Wordpress. WordPress currently has 5 different user levels : Subscriber, Contributor, Author, Editor and Administrator. I have always believed that this user system was sufficient for what most blog owners needed however the more I looked into it the more I realised how limited this user system actually is because by default, you are not able to increase or decrease the capabilities certain user roles have.

If you are the only one who posts on your blog then user roles is not something you have to worry about however if you allow guest posts on your blog or if your blog has multiple authors, this is something which should concern you.

This is how WordPress summarizes each role :

• Administrator - Somebody who has access to all the administration features
• Editor - Somebody who can publish posts, manage posts as well as manage other people’s posts, etc.
• Author - Somebody who can publish and manage their own posts
• Contributor - Somebody who can write and manage their posts but not publish posts
• Subscriber - Somebody who can read comments/comment/receive news letters, etc.

The Capability vs. Role Table below illustrates the capabilities each user role has a little better.

If you look at the table above you should see how the default permission settings for user roles might not suit everyone. For example, by default Contributors cannot upload files however this is something which I would like Contributors to be able to do (ie. so that they can upload pics for their guest post). WordPress splits up these capabilities with 11 user levels. Subscribers are level 0, Contributors are level 1, Authors are levels 2, 3, and 4, Editors are levels 5, 6, and 7 and Administrators are levels 8, 9, and 10. It’s a simple way of determining how much power a user has but it’s not something you really need to know.

HTML filtered for lower users

The biggest problem which I see is that Authors cannot user Unfiltered HTML. I can understand why WordPress have removed this from the Authors capabilities as one unclosed HTML tag can mess up a whole page however filtering HTML can cause a lot of problems too. I encountered one of these problems and it is the reason I looked into this whole issue in the first place.

For one of my blogs a new author was trying to embed a YouTube video in the post. Her profile status was Author and the visual editor was turned off yet whenever she posted the YouTube embed code and clicked save, the code would literally disappear. When she told me about the problem my first thought was that she didn’t know any HTML and had messed up somewhere but after logging in as an Author myself I soon saw that it wasn’t a browser problem, it wasn’t a problem with the editor either, it was a problem with permissions. WordPress was filtering out the embed code to avoid any problems.

This of course created a dilemma. The default way of letting someone post HTML in posts is to upgrade them to Editor however that means giving the writer the ability to edit other peoples posts and pages too and thats not something I want to do. If you are happy with your writers not using HTML but want to give them the option of posting videos then a plugin like EasyTube or Video Bracket Tag should be sufficient. Otherwise, you need to look into giving authors the right to use HTML in their posts.

Thankfully there are a few plugins which give you the power to do what a default installation of WordPress does not : edit user roles. By editing what powers your user roles have you can make sure writers don’t have capabilities they shouldn’t have.

Role Manager Plugin

I installed the Role Manager Plugin yesterday and I have to say I am thoroughly impressed with it. Not only can you change the capabilities each role has, you can create brand new user roles and new capabilities too.

Changing what a user can and cannot do is incredibly easy. All you do is click the capability you want to give or take away from a user. You can also change the user level of a role and set things automatically and you can copy the settings for a given role too (which is useful for creating new user roles). For example, you could copy the Author role and give them unfiltered HTML permissions and call the role ‘Author with HTML’ or something. This would allow you to seperate writers who are familar with HTML from those who are not.

If you have guest posters on your blog then I really think you will benefit from installing the Role Manager Plugin. Hopefully editing user roles will be default in WordPress in the future but until then this plugin should be sufficient.

If you would like to read more on this subject I encourage you to check out the Roles and Capabilities page in the WordPress Codex