仅通过用户名或电子邮件检查用户是否是管理员 [英] Check if user is an admin by username or email only

问题描述

我正在从头开始创建管理部分.此操作的用户应该是来自具有管理员权限的 wordpress 站点的用户.所以我目前正在使用

对用户进行身份验证

if( (!user_pass_ok($user, $pass)){//登录失败}别的{//登录成功}

但我也想知道用户是否是管理员.我通过在线查看发现他们使用 current_user_can('administrator').但在我的情况下，用户尚未登录.我必须检查用户是否是管理员，是用户为登录输入的用户名/电子邮件地址.如何仅通过用户名/电子邮件检查此用户是否为管理员?

解决方案

正如我在评论中指出的，user_pass_ok( $user, $pass ) 已被弃用，而支持 wp_authenticate.

此外，WordPress 有一个惊人的Capabilities API，远远超出了角色.我强烈建议阅读它.

举个简单的例子，如果我想授予用户管理 WordPress 选项的权限(从管理员角色继承的名为 manage_options 的功能)，我所要做的就是说 current_user_can('manage_options') 或使用 WP_User->has_cap(...) 函数.

基于能力的匹配通常比基于角色的匹配灵活得多……例如，假设我的网站有一个名为开发人员"的第二个角色.如果您根据角色对访问进行门控，并且您想让开发者角色的用户访问您的功能，则需要在需要验证用户权限时添加第二个检查:($role == 'administrator' || $role == 'developer')

因此，如果您已经有用户登录，那么您始终可以通过以下方式验证他们的能力:

current_user_can( 'manage_options' )//所有管理员都有 'manage_options'

或定义您自己的自定义上限，将其提供给所有管理员:

function add_custom_admin_caps() {$role = get_role('管理员');$role->add_cap('access_my_admin_zone');}add_action('admin_init', 'add_custom_admin_caps');

并根据当前用户检查自定义上限

current_user_can( 'access_my_admin_zone' )

功能的额外好处是，如果您使用 add_*_page 函数之一 (add_menu_page()) 和像manage_options"这样的功能

add_menu_page ( $title, $menu_title, $capability, $menu_slug, $function, $icon_url, $position)

最后，不清楚您是否自己登录用户，如果是这样，如果您从头开始登录用户(即不使用 WordPress 的登录表单)，我会提出这种替代方案:

$user = wp_authenticate( $user, $pass );if ( is_a( $user, 'WP_User' ) && $user->has_cap( 'manage_options' ) ) {//成功} 别的 {//失败}

您还需要在自定义管理员的每个页面加载期间调用 current_user_can( 'manage_options' ) 以验证用户是否已登录并具有权限，如果失败，则将他们定向到您的自定义登录页面...或者可能是带有 auth_redirect() 的 wordpress 登录页面.>

I am creating an admin section from scratch. The users for this should be users from a wordpress site where they have administrator privileges. So I am currently authenticating the users using

if( (!user_pass_ok($user, $pass)){
    //login fail
}else{
    //successful login
}

But I also want to know if the user is an administrator. What I came across by looking online is they use the current_user_can( 'administrator' ). But in my case, the user has not yet logged in. All I have to check if the user is an admin, is the username/email address the user enters for login. How can I check if this user is an admin by only the username/email?

解决方案

As I noted in a comment user_pass_ok( $user, $pass ) is deprecated in favor of wp_authenticate.

Additionally, WordPress has an amazing Capabilities API that goes far beyond Roles. I would strongly recommend reading up on it.

For a brief example, if I wanted to grant a user access to manage WordPress options (a capability called manage_options that is inherited from the Administrator role), all I have to do is say current_user_can('manage_options') or use the WP_User->has_cap(...) function.

Matching based on capabilities is usually much more flexible that matching on a Role... for example imagine my site had a second role called "Developers". If you gated access based on roles, and you wanted to give users in the developer role access to your feature, you would need to add a second check whenever you need to verify a users permissions: ($role == 'administrator' || $role == 'developer')

So, if you have a user logged in already then you can always verify their capabilities with:

current_user_can( 'manage_options' ) // all admins have 'manage_options'

or define your own custom cap, give it to all administrators:

function add_custom_admin_caps() {
    $role = get_role( 'administrator' );

    $role->add_cap( 'access_my_admin_zone' );
}
add_action( 'admin_init', 'add_custom_admin_caps');

and check the custom cap against the current user

current_user_can( 'access_my_admin_zone' )

The added benefit to capabilities is that WordPress will automatically check the current user's permissions when rendering the WP Admin menu if you register your admin section with one of the add_*_page functions (add_menu_page()) and a capability like 'manage_options'

add_menu_page ( $title, $menu_title, $capability, $menu_slug, $function, $icon_url, $position)

Lastly, It was a bit unclear as to whether you were logging in users yourself, if so I would propose this alternative if you are logging in the user from scratch (i.e. not using WordPress's login form):

$user = wp_authenticate( $user, $pass );

if ( is_a( $user, 'WP_User' ) && $user->has_cap( 'manage_options' ) ) {
   // success
} else {
   // fail
}

You will also need to call current_user_can( 'manage_options' ) during every page load of your custom admin to verify that the user is logged in and has permissions, if that fails, then direct them to your custom login page... or possibly, the wordpress login page with auth_redirect().

这篇关于仅通过用户名或电子邮件检查用户是否是管理员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！