Skip to content

I’m writing a custom filter in WordPress today for an internal support board powered by AD and WordPress user roles/capabilities.

The logic in the spec (such as it is) is along the lines of Is user posting isn’t an admin, find the admin of the user group (business support, technical support or integration) and send them an email to publish the article.

It’s taken hardly anytime to do this, but Googling for it before I started, I came across some misinformation from uninformed tossers on WordPress.org who looked at the codex and saw is_admin() function and assumed that’ll do the trick.

According to these idiots:

if (is_admin()) {
	echo "Hello administrator";
} else {
	echo "Hello lesser mortal";
}

is the solution to the problem of finding out if the logged in user is an administrator.

No it doesn’t you cretin. Quote WordPress Codex:

is_admin() is not intended to be used for security checks. It will return true whenever the current URL is for a page on the admin side of WordPress. It does not check if the user is logged in, nor if the user even has access to the page being requested. It is a convenience function for plugins and themes to use for various purposes, but it is not suitable for validating secured requests.

And if don’t understand what that means, it translates as a check to see if you are in the admin SCREEN!

This is why the internet is full of crap WordPress themes and crap WordPress plugins, because people believe shit like this posted on the forums without double checking first.

If you want to find out if the user is an administrator, try this:

# guess what? this gets the current user information
$current_user = wp_get_current_user();
# is 'administrator' in this users roles?
if (in_array('administrator', $currentUser->roles)) {
	echo "Hello administrator";
} else {
	echo "Hello lesser mortal";
}

 

Comments (0)

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by and
Back To Top
Search