indeed from your question is not entirely clear what are you trying to achieve. However wordpress gives you the option to create custom roles and capabilities.
If you follow that native wordpress path, you should not be concerned about security.
- check if the role exists
- IFF not add the role and capibilities
- Make sure to pass the capabilities to the admin as well
One
function role_exists( $role ) {
if( ! empty( $role ) ) {
return $GLOBALS[‘wp_roles’]->is_role( $role );
}
return false;
}
Two
if( !role_exists( 'customRole' ) ) {
// $adm = $wp_roles->get_role('administrator');
add_role('Role', __('DisplayName'),
array(
'read' => true, // Allows a user to read
'create_posts' => false, // Allows user to create new posts
'edit_posts' => false, // Allows user to edit their own posts
'edit_others_posts' => false, // Allows user to edit others posts too
'publish_posts' => false, // Allows the user to publish posts
'manage_categories' => false, // Allows user to manage post categories
'create_pages' => true,
'edit_pages' => true,
'edit_others_pages' => true, // Allows user to edit others posts too
'custom_capibility' => true,
)
);
}
Three
if (role_exists('customRole')){
$administrator = get_role('administrator');
$administrator->add_cap('custom_capibilities');
}