Storing User Roles and Capabilities in WordPress Multisite
In a WordPress Multisite network, user permissions and roles are stored in the `wp_usermeta` table using specific meta keys[1]:
- `wp_capabilities`: Stores an array of capabilities granted to the user, such as "edit_posts", "delete_posts", etc.
- `wp_user_level`: Stores the user's level of access, ranging from 0 (subscriber) to 10 (super admin).
- `wp_{$site_id}_capabilities`: Stores the user's capabilities for a specific site in the network, where `{$site_id}` is replaced with the site's ID.
- `wp_{$site_id}_user_level`: Stores the user's level of access for a specific site in the network.
Managing User Roles and Permissions
WordPress Multisite comes with several default user roles[4]:
- Super Admin: Has control over the entire network, including site creation and user management.
- Administrator: Has control over a specific site but can't manage the network itself.
- Editor: Can publish and manage posts and pages but can't change site settings.
- Author: Can write and publish their own posts but can't manage other users or settings.
- Contributor: Can write and edit their own posts but can't publish them.
- Subscriber: Can only view content and manage their profiles.
To customize user roles and permissions, you can[2][4]:
- Add new user roles using the `add_role()` function.
- Modify existing user roles using the `add_cap()` and `remove_cap()` functions.
- Define custom capabilities for specific plugins or themes.
Restricting Access to Specific Sites
In a WordPress Multisite network, you might want to restrict certain users to specific sites within the network. You can achieve this by checking the user's capabilities and site ID[2]:
php
function restrict_access_to_site($allowed, $cap, $args, $user) {
// Check if the user has the 'manage_events' capability
if (user_can($user->ID, 'manage_events')) {
// Allow access if the user has the required capability
return true;
}
// Check if the user is a super admin
if (is_super_admin($user->ID)) {
// Allow access for super admins
return true;
}
// Check if the user is on the specific site
if ($user->blogs[$blog_id]->userblog_id == get_current_blog_id()) {
// Allow access if the user is on the specific site
return true;
}
// Deny access by default
return false;
}
// Hook the function to an appropriate action or event
add_filter('user_has_cap', 'restrict_access_to_site', 10, 4);
In this example, we define a custom capability called "manage_events" and assign it to specific user roles. The `restrict_access_to_site()` function checks if the user has the required capability, is a super admin, or is on the specific site. If none of these conditions are met, access is denied.
Conclusion
WordPress Multisite provides a powerful way to manage multiple sites from a single installation, including user management and access control. By understanding how user roles and capabilities are stored, customizing permissions, and implementing advanced access control mechanisms, you can ensure that your Multisite network is secure and tailored to your specific needs.
Citations:[1] https://www.boiseweb.net/articles/understanding-how-wordpress-multisite-stores-user-permissions-and-roles/
[2] https://clouddevs.com/wordpress/managing-user-permissions/
[3] https://docs.wpvip.com/manage-user-access/wordpress/
[4] https://fixmywp.com/multisite/user-management-and-permissions-on-a-multisite-network.php
[5] https://wpengine.com/resources/wordpress-multisite-user-management/