I have run into this problem where the following piece of code always returns true for any post ID supplied to it.
current_user_can('delete_posts', $post_id);
Normally, the above code should return false when the user is not the author of the post or does not have the capability to delete others post. However, it still returns true for any post ID.
The user has been assigned a custom role, as defined below.
$standard_role_capabilities = array ('read' => true,
'delete_posts' => true,
'edit_posts' => true,
'delete_published_posts' => true,
'publish_posts' => true,
'edit_published_posts' => true,
'comment' => true
);
add_role('standard', 'Standard', $standard_role_capabilities);
Any reasons for this not working?
3 Answers
After hours of fighting to get this to work, it was just a matter of changing delete_posts to delete_post.
So, in it’s entirety this would be:
current_user_can('delete_posts', $post_id);
to
current_user_can('delete_post', $post_id);
current_user_can does accept a second parameter. Though it’s weird that the function declaration in capabilities.php does not define a second parameter as pointed out by @amit. May be someone can clarify why it is so.
