current_user_can() 'administrator' vs 'manage_options'

[apermo]

Hey Alex,

https://github.com/akirk/friends/blob/a36317d1893b36434e299bb956803dbb5a5c744a/includes/class-friends.php#L670

I wonder why you chose to use current_user_can( 'administrator' ), this will only work if the user role is named administrator. In case you create custom roles or rename the given ones, the function will no longer return true. Without testing it, I expect it to already fail for the super_administrator role in a network.

If you have a very specific reason for testing for 'administrator' I propose to add a filter, to be able to customize the capability.

Or replace 'administrator' with 'manage_options'.

I'll be happy to provide a PR, if you just give me your preferred solution.

For reference:

The role name capabilities are set in these two function with the following line.

• https://developer.wordpress.org/reference/classes/wp_user/set_role/
• https://developer.wordpress.org/reference/classes/wp_user/add_role/
• $this->caps[ $role ] = true;

[akirk]

Actually, more generally, I use edit_private_posts as the required role: https://github.com/akirk/friends/blob/main/includes/class-friends.php#L25

This particular function has_required_privileges() is used in several places where it is about someone that you dedicate as the main user. This is derived from the idea that currently it is somewhat assumed that one person uses the blog (although this might change at some point, see #285) and you can select that user in the friend settings. The Administrator here is just a fallback that I am not sure is actually ever reached.

The main user is selected out of all users who have the edit_private_posts permission only if it has not been selected:

All that said, happy to change this to use manage_options if you'd like to submit a pull request!