I’ve found that the WordPress has_cap()
function, which is relied on by functions like user_can()
and current_user_can
, explicitly returns false for empty capabilities.
Example: If a capability is passed as an argument using current_user_can()
, this function will pass the capability to has_cap()
and return the results:
return call_user_func_array( array( $current_user, 'has_cap' ), $args
has_cap()
will return false if the requested capability does not exist or the value is false:
foreach ( (array) $caps as $cap ) {
if ( empty( $capabilities[ $cap ] ) )
return false;
}
This is because the empty()
function returns true in either case.
A variable is considered empty if it does not exist or if its value
equals FALSE.
Unless I am mistaken about how these functions work, then it appears safe to say that no default capabilities are attributed to a new role unless explicitly set to true. It is not necessary to explicitly deny a capability when creating a new role with add_role()
and I can’t see any reason to do so. If a capability is not listed, the user will not have it.