Want to know parameters that can be passed to user_can() for access control by user capabilities

When using user_can() you pass it the user ID (or object) and the “capability” you want to check:

$user_can = user_can( $user_id, 'edit_posts' );

The list of built in roles, and what capabilities they have, is available here. You can pass any of those to the function to determine if a user has that capability based on their role.

However, that is only the list of built-in capabilities. Plugins are able to add their own capabilities, which means that you can add your own capabilities. So really anything can be passed to user_can(), it just needs to be a capability that users can have. This is why a specific list is not included in the function documentation.

Originally I had misunderstood your question, and assumed you were asking what additional arguments can be passed to user_can(), apart from capabilities (which you just wanted a list of). What I had written in response to that is below.

Any additional arguments are passed through to WP_User::has_cap() as the $options... argument, which is:

(int) (Optional) ID of a specific object to check against if $cap is a
“meta” capability. Meta capabilities such as edit_post and edit_user
are capabilities used by by the map_meta_cap() function to map to
primitive capabilities that a user or role has, such as edit_posts and
edit_others_posts.

These “meta” capabilities are passed to the map_meta_cap() function to determine what actual capabilities are required (“actual” capabilities being being the ones that are assigned to a user or role).

For example, edit_post is a meta capability, and the map_meta_cap() function determines which capability the user requires for edit_post to be true. If they are the author of the post then the required capability is edit_posts. If they are not, then it’s edit_others_posts.

For this to work map_meta_cap needs to know the post ID, which can be passed to user_can():

$user_can = user_can( $user_id, 'edit_post', $post_id );

This can also be used for users:

$user_can = user_can( $user_id, 'promote_user', $user_id );

A partial list of built-in “meta” capabilities is in the documentation for map_meta_cap().

So, this means that user_can() can accept the ID of the object that a capability is being checked against.

So for the built-in capabilities, the only additional argument that you can pass to user_can() is the object ID of the post, comment, user or term that is related to the meta capability that you’re checking.

However, this is not the full story. The truth is that you can pass any additional arguments to user_can() that you want. They won’t do anything for any of the built in capabilities, but they will be available for you if you use the map_meta_cap() filter to add your own meta capabilities.

For example, let’s say I have a custom database table with my own types of content, but I want to use the capabilities system of WordPress. In this example, let’s say I have something called “participants”, and I want to control who has permission to edit them. I can create my own two capabilities, edit_participants and edit_others_participants, and assign them to user roles as appropriate. Now I need to use user_can() to determine if a user can edit a particular participant:

$user_can = user_can( $user_id, 'edit_participant' );

edit_participant is not a capability that I assign to a role. Instead I need to use the map_meta_cap filter to add my logic to determine which is which:

add_filter(
    'map_meta_cap',
    function( $caps, $cap, $user_id, $args ) {
        if ( $cap === 'edit_participant' ) {
            // Your logic here.
        }

        return $caps;
    }
);

Inside the callback for the map_meta_cap I have the array of actual capabilities required, $caps, the meta capability that’s currently being checked, $cap, the $user_id that was passed to user_can(), and then $args. This last argument, $args is an array containing all additional arguments passed to user_can().

For example, if I pass the ID to user_can():

$user_can = user_can( $user_id, 'edit_participant', $participant_id );

Then I can access it like this:

function( $caps, $cap, $user_id, $args ) {
    if ( $cap === 'edit_participant' ) {
        $participant_id = $args[0];

        // Your logic here.
    }

    return $caps;
}

This means that I can pass any number of arguments to user_can() that I need:

$user_can = user_can( $user_id, 'edit_participant', $a, $b, $c );

So that I can use them for the capability mapping:

function( $caps, $cap, $user_id, $args ) {
    if ( $cap === 'edit_participant' ) {
        $a = $args[0];
        $b = $args[1];
        $c = $args[2];

        // Your logic here.
    }

    return $caps;
}

Related Posts:

  1. Is there way to rename user role name without plugin?
  2. How to create a clone role in wordpress
  3. How to add a Capability to a User Role?
  4. How can I get a list of users by their role?
  5. How do I make a draft post accessible to everyone?
  6. Reset default roles and capabilities
  7. add_role() run only once?
  8. What do unfiltered_html and unfiltered_upload actually filter?
  9. Temporary capability for current_user_can()
  10. Allow roles below admin to add subscribers only
  11. Temporarily give ‘manage_options’ capability
  12. Hide specific admin users’ posts
  13. Allow authors to edit only certain users
  14. How to update role capabilities
  15. Do custom user roles have any default capabilities?
  16. How to programmatically add a user to a role?
  17. how to add custom user capabilities using add_user_meta or something else?
  18. Allow user to Publish, but not Edit or Delete
  19. Email notification for editors only
  20. Shold I manually add ‘cap’ to admin role ?
  21. Allow users to publish child pages of the pages they have access to edit
  22. New Roles and Capabilities in WordPress
  23. Why is wp-login redirecting to the home page when I use this function?
  24. Allow contributor to view own scheduled post
  25. How to prevent users with “edit_others_posts” capability from editing admin posts
  26. Author Role – Allow editing of Gallery images
  27. What is the difference between “create_users” and “add_users” capabilities?
  28. How to get all users with Author role capabilities?
  29. How to check if a role has a specific capability
  30. Locking Down WordPress Application Password Permissions / Capabilities
  31. Prevent custom user role to add new pages
  32. Allow user to edit specific user with meta key using map_meta_cap
  33. How to remove sticky post capability for a specific user role?
  34. Let new user role to ‘edit_others_posts’ of other user role, not of its own type
  35. How can I have different groups of editors only allowed to edit certain parent+subpages?
  36. The delete_posts capability?
  37. How to restrict access to specific pages on the back-end?
  38. Capabilites not working [closed]
  39. add_menu_page() for more than one user role
  40. Remove wordpress author’s capability to moderate comments on their own posts
  41. Can you set a role as author?
  42. Prevent Editors from Editing/Deleting Admin Accounts
  43. Where are the WordPress capabilities stored?
  44. Adding Capabilities to a WordPress User Account
  45. Adding an additional role to an Administrator
  46. Custom user roles for access to specific parts of the site
  47. Pending status by default for a specific role
  48. How do I restrict user access to plugins?
  49. My subscriber has the “edit comment” capability but can’t edit comment
  50. Show metabox for a special role
  51. User Role Capabilities for WordPress Gutenberg Blocks
  52. Subscriber (with read permissions) cannot view Private posts
  53. How can I add a custom role capability to use in a custom plugin?
  54. bbPress plugin moderator roles
  55. Allowing user to edit posts based on the post status
  56. Custom capabilities to add, edit, remove users of a particular role only?
  57. Stop users of author role from editing already pending posts
  58. add_role user capability not working
  59. Purpose of Adding Capability to Role But Not Grant?
  60. How can I promote a user to a network administrator?
  61. Reset Roles (or undo role changes on theme change)
  62. How to get a users list by who created them?
  63. Authorize users for specific pages and/or categories
  64. Custom Capabilities for CPT and Problem with current_user_can()
  65. Custom wordpress admin page/url “You do not have sufficient permissions to access this page.”
  66. Hiding custom theme functionality using capabilities
  67. user_can() not working for comment authors
  68. Which capabilities are available in Gravity Forms Salesforce plugin? [closed]
  69. How to write conditions based on user capabilities not on user role?
  70. What Capability is required to let a role RUN code in Edit Theme?
  71. Create sub-administrator role that can do everything except use or see the code editor
  72. Let editors view post in admin but not be able to perform a save/edit
  73. Capabilities don’t add
  74. Require Capability to View Woocommerce Product
  75. User role editor – Add download files capability
  76. Why can my subscribers create new posts for review?
  77. Disabled delete_others_posts if post is from admin
  78. How can I check if a visitor can read a post?
  79. How to query users to count all with a custom capability and limit it to a set of roles?
  80. Adding all custom capabilities to admin
  81. User role and capablities only for 1 plugin
  82. How to give plugin access to specific role(s)
  83. current_user_can( ‘edit_user’ ) does not work
  84. How to restrict subscriber editing other posts but read specific posts in backend
  85. Create role that can edit some user details, but not the role
  86. How can I add capability to multiple roles?
  87. Role and Capabilities: How do I allow user role to access theme options without enabling ‘manage_options’?
  88. Custom Gutenberg Block and unfiltered_html capability
  89. Best practices to handle multilpe roles and capabilities?
  90. Enable plugins for a specific user role
  91. Check what capabilitie(s) an action requires
  92. Why does user_can return false for a capability during plugin deactivation?
  93. Force “submit for review” on update?
  94. Users can only save their draft once before saving for revision
  95. Hide user fields based off capability
  96. Author capabilities: Deleting comments on their own published posts
  97. Need to create admin user without capability to create user
  98. How do I make a draft post accessible to everyone?
  99. Grant access to admin menu?
  100. How might I enable a user to view Draft pages from a different Author, without the ability to edit?