1<?php
  2/**
  3 * Core User Role & Capabilities API
  4 *
  5 * @package WordPress
  6 * @subpackage Users
  7 */
  8
  9/**
 10 * Maps a capability to the primitive capabilities required of the given user to
 11 * satisfy the capability being checked.
 12 *
 13 * This function also accepts an ID of an object to map against if the capability is a meta capability. Meta
 14 * capabilities such as `edit_post` and `edit_user` are capabilities used by this function to map to primitive
 15 * capabilities that a user or role requires, such as `edit_posts` and `edit_others_posts`.
 16 *
 17 * Example usage:
 18 *
 19 *     map_meta_cap( 'edit_posts', $user->ID );
 20 *     map_meta_cap( 'edit_post', $user->ID, $post->ID );
 21 *     map_meta_cap( 'edit_post_meta', $user->ID, $post->ID, $meta_key );
 22 *
 23 * This function does not check whether the user has the required capabilities,
 24 * it just returns what the required capabilities are.
 25 *
 26 * @since 2.0.0
 27 * @since 4.9.6 Added the `export_others_personal_data`, `erase_others_personal_data`,
 28 *              and `manage_privacy_options` capabilities.
 29 * @since 5.1.0 Added the `update_php` capability.
 30 * @since 5.2.0 Added the `resume_plugin` and `resume_theme` capabilities.
 31 * @since 5.3.0 Formalized the existing and already documented `...$args` parameter
 32 *              by adding it to the function signature.
 33 * @since 5.7.0 Added the `create_app_password`, `list_app_passwords`, `read_app_password`,
 34 *              `edit_app_password`, `delete_app_passwords`, `delete_app_password`,
 35 *              and `update_https` capabilities.
 36 * @since 6.7.0 Added the `edit_block_binding` capability.
 37 *
 38 * @global array $post_type_meta_caps Used to get post type meta capabilities.
 39 *
 40 * @param string $cap     Capability being checked.
 41 * @param int    $user_id User ID.
 42 * @param mixed  ...$args Optional further parameters, typically starting with an object ID.
 43 * @return string[] Primitive capabilities required of the user.
 44 */
 45function map_meta_cap( $cap, $user_id, ...$args ) {
 46	$caps = array();
 47
 48	switch ( $cap ) {
 49		case 'remove_user':
 50			// In multisite the user must be a super admin to remove themselves.
 51			if ( isset( $args[0] ) && $user_id === (int) $args[0] && ! is_super_admin( $user_id ) ) {
 52				$caps[] = 'do_not_allow';
 53			} else {
 54				$caps[] = 'remove_users';
 55			}
 56			break;
 57		case 'promote_user':
 58		case 'add_users':
 59			$caps[] = 'promote_users';
 60			break;
 61		case 'edit_user':
 62		case 'edit_users':
 63			// Non-existent users can't edit users, not even themselves.
 64			if ( $user_id < 1 ) {
 65				$caps[] = 'do_not_allow';
 66				break;
 67			}
 68
 69			// Allow user to edit themselves.
 70			if ( 'edit_user' === $cap && isset( $args[0] ) && $user_id === (int) $args[0] ) {
 71				break;
 72			}
 73
 74			// In multisite the user must have manage_network_users caps. If editing a super admin, the user must be a super admin.
 75			if ( is_multisite() && ( ( ! is_super_admin( $user_id ) && 'edit_user' === $cap && is_super_admin( $args[0] ) ) || ! user_can( $user_id, 'manage_network_users' ) ) ) {
 76				$caps[] = 'do_not_allow';
 77			} else {
 78				$caps[] = 'edit_users'; // edit_user maps to edit_users.
 79			}
 80			break;
 81		case 'delete_post':
 82		case 'delete_page':
 83			if ( ! isset( $args[0] ) ) {
 84				if ( 'delete_post' === $cap ) {
 85					/* translators: %s: Capability name. */
 86					$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );
 87				} else {
 88					/* translators: %s: Capability name. */
 89					$message = __( 'When checking for the %s capability, you must always check it against a specific page.' );
 90				}
 91
 92				_doing_it_wrong(
 93					__FUNCTION__,
 94					sprintf( $message, '<code>' . $cap . '</code>' ),
 95					'6.1.0'
 96				);
 97
 98				$caps[] = 'do_not_allow';
 99				break;
100			}
101
102			$post = get_post( $args[0] );
103			if ( ! $post ) {
104				$caps[] = 'do_not_allow';
105				break;
106			}
107
108			if ( 'revision' === $post->post_type ) {
109				$caps[] = 'do_not_allow';
110				break;
111			}
112
113			if ( (int) get_option( 'page_for_posts' ) === $post->ID
114				|| (int) get_option( 'page_on_front' ) === $post->ID
115			) {
116				$caps[] = 'manage_options';
117				break;
118			}
119
120			$post_type = get_post_type_object( $post->post_type );
121			if ( ! $post_type ) {
122				/* translators: 1: Post type, 2: Capability name. */
123				$message = __( 'The post type %1$s is not registered, so it may not be reliable to check the capability %2$s against a post of that type.' );
124
125				_doing_it_wrong(
126					__FUNCTION__,
127					sprintf(
128						$message,
129						'<code>' . $post->post_type . '</code>',
130						'<code>' . $cap . '</code>'
131					),
132					'4.4.0'
133				);
134
135				$caps[] = 'edit_others_posts';
136				break;
137			}
138
139			if ( ! $post_type->map_meta_cap ) {
140				$caps[] = $post_type->cap->$cap;
141				// Prior to 3.1 we would re-call map_meta_cap here.
142				if ( 'delete_post' === $cap ) {
143					$cap = $post_type->cap->$cap;
144				}
145				break;
146			}
147
148			// If the post author is set and the user is the author...
149			if ( $post->post_author && $user_id === (int) $post->post_author ) {
150				// If the post is published or scheduled...
151				if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {
152					$caps[] = $post_type->cap->delete_published_posts;
153				} elseif ( 'trash' === $post->post_status ) {
154					$status = get_post_meta( $post->ID, '_wp_trash_meta_status', true );
155					if ( in_array( $status, array( 'publish', 'future' ), true ) ) {
156						$caps[] = $post_type->cap->delete_published_posts;
157					} else {
158						$caps[] = $post_type->cap->delete_posts;
159					}
160				} else {
161					// If the post is draft...
162					$caps[] = $post_type->cap->delete_posts;
163				}
164			} else {
165				// The user is trying to edit someone else's post.
166				$caps[] = $post_type->cap->delete_others_posts;
167				// The post is published or scheduled, extra cap required.
168				if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {
169					$caps[] = $post_type->cap->delete_published_posts;
170				} elseif ( 'private' === $post->post_status ) {
171					$caps[] = $post_type->cap->delete_private_posts;
172				}
173			}
174
175			/*
176			 * Setting the privacy policy page requires `manage_privacy_options`,
177			 * so deleting it should require that too.
178			 */
179			if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) {
180				$caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) );
181			}
182
183			break;
184		/*
185		 * edit_post breaks down to edit_posts, edit_published_posts, or
186		 * edit_others_posts.
187		 */
188		case 'edit_post':
189		case 'edit_page':
190			if ( ! isset( $args[0] ) ) {
191				if ( 'edit_post' === $cap ) {
192					/* translators: %s: Capability name. */
193					$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );
194				} else {
195					/* translators: %s: Capability name. */
196					$message = __( 'When checking for the %s capability, you must always check it against a specific page.' );
197				}
198
199				_doing_it_wrong(
200					__FUNCTION__,
201					sprintf( $message, '<code>' . $cap . '</code>' ),
202					'6.1.0'
203				);
204
205				$caps[] = 'do_not_allow';
206				break;
207			}
208
209			$post = get_post( $args[0] );
210			if ( ! $post ) {
211				$caps[] = 'do_not_allow';
212				break;
213			}
214
215			if ( 'revision' === $post->post_type ) {
216				$post = get_post( $post->post_parent );
217				if ( ! $post ) {
218					$caps[] = 'do_not_allow';
219					break;
220				}
221			}
222
223			$post_type = get_post_type_object( $post->post_type );
224			if ( ! $post_type ) {
225				/* translators: 1: Post type, 2: Capability name. */
226				$message = __( 'The post type %1$s is not registered, so it may not be reliable to check the capability %2$s against a post of that type.' );
227
228				_doing_it_wrong(
229					__FUNCTION__,
230					sprintf(
231						$message,
232						'<code>' . $post->post_type . '</code>',
233						'<code>' . $cap . '</code>'
234					),
235					'4.4.0'
236				);
237
238				$caps[] = 'edit_others_posts';
239				break;
240			}
241
242			if ( ! $post_type->map_meta_cap ) {
243				$caps[] = $post_type->cap->$cap;
244				// Prior to 3.1 we would re-call map_meta_cap here.
245				if ( 'edit_post' === $cap ) {
246					$cap = $post_type->cap->$cap;
247				}
248				break;
249			}
250
251			// If the post author is set and the user is the author...
252			if ( $post->post_author && $user_id === (int) $post->post_author ) {
253				// If the post is published or scheduled...
254				if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {
255					$caps[] = $post_type->cap->edit_published_posts;
256				} elseif ( 'trash' === $post->post_status ) {
257					$status = get_post_meta( $post->ID, '_wp_trash_meta_status', true );
258					if ( in_array( $status, array( 'publish', 'future' ), true ) ) {
259						$caps[] = $post_type->cap->edit_published_posts;
260					} else {
261						$caps[] = $post_type->cap->edit_posts;
262					}
263				} else {
264					// If the post is draft...
265					$caps[] = $post_type->cap->edit_posts;
266				}
267			} else {
268				// The user is trying to edit someone else's post.
269				$caps[] = $post_type->cap->edit_others_posts;
270				// The post is published or scheduled, extra cap required.
271				if ( in_array( $post->post_status, array( 'publish', 'future' ), true ) ) {
272					$caps[] = $post_type->cap->edit_published_posts;
273				} elseif ( 'private' === $post->post_status ) {
274					$caps[] = $post_type->cap->edit_private_posts;
275				}
276			}
277
278			/*
279			 * Setting the privacy policy page requires `manage_privacy_options`,
280			 * so editing it should require that too.
281			 */
282			if ( (int) get_option( 'wp_page_for_privacy_policy' ) === $post->ID ) {
283				$caps = array_merge( $caps, map_meta_cap( 'manage_privacy_options', $user_id ) );
284			}
285
286			break;
287		case 'read_post':
288		case 'read_page':
289			if ( ! isset( $args[0] ) ) {
290				if ( 'read_post' === $cap ) {
291					/* translators: %s: Capability name. */
292					$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );
293				} else {
294					/* translators: %s: Capability name. */
295					$message = __( 'When checking for the %s capability, you must always check it against a specific page.' );
296				}
297
298				_doing_it_wrong(
299					__FUNCTION__,
300					sprintf( $message, '<code>' . $cap . '</code>' ),
301					'6.1.0'
302				);
303
304				$caps[] = 'do_not_allow';
305				break;
306			}
307
308			$post = get_post( $args[0] );
309			if ( ! $post ) {
310				$caps[] = 'do_not_allow';
311				break;
312			}
313
314			if ( 'revision' === $post->post_type ) {
315				$post = get_post( $post->post_parent );
316				if ( ! $post ) {
317					$caps[] = 'do_not_allow';
318					break;
319				}
320			}
321
322			$post_type = get_post_type_object( $post->post_type );
323			if ( ! $post_type ) {
324				/* translators: 1: Post type, 2: Capability name. */
325				$message = __( 'The post type %1$s is not registered, so it may not be reliable to check the capability %2$s against a post of that type.' );
326
327				_doing_it_wrong(
328					__FUNCTION__,
329					sprintf(
330						$message,
331						'<code>' . $post->post_type . '</code>',
332						'<code>' . $cap . '</code>'
333					),
334					'4.4.0'
335				);
336
337				$caps[] = 'edit_others_posts';
338				break;
339			}
340
341			if ( ! $post_type->map_meta_cap ) {
342				$caps[] = $post_type->cap->$cap;
343				// Prior to 3.1 we would re-call map_meta_cap here.
344				if ( 'read_post' === $cap ) {
345					$cap = $post_type->cap->$cap;
346				}
347				break;
348			}
349
350			$status_obj = get_post_status_object( get_post_status( $post ) );
351			if ( ! $status_obj ) {
352				/* translators: 1: Post status, 2: Capability name. */
353				$message = __( 'The post status %1$s is not registered, so it may not be reliable to check the capability %2$s against a post with that status.' );
354
355				_doing_it_wrong(
356					__FUNCTION__,
357					sprintf(
358						$message,
359						'<code>' . get_post_status( $post ) . '</code>',
360						'<code>' . $cap . '</code>'
361					),
362					'5.4.0'
363				);
364
365				$caps[] = 'edit_others_posts';
366				break;
367			}
368
369			if ( $status_obj->public ) {
370				$caps[] = $post_type->cap->read;
371				break;
372			}
373
374			if ( $post->post_author && $user_id === (int) $post->post_author ) {
375				$caps[] = $post_type->cap->read;
376			} elseif ( $status_obj->private ) {
377				$caps[] = $post_type->cap->read_private_posts;
378			} else {
379				$caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
380			}
381			break;
382		case 'publish_post':
383			if ( ! isset( $args[0] ) ) {
384				/* translators: %s: Capability name. */
385				$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );
386
387				_doing_it_wrong(
388					__FUNCTION__,
389					sprintf( $message, '<code>' . $cap . '</code>' ),
390					'6.1.0'
391				);
392
393				$caps[] = 'do_not_allow';
394				break;
395			}
396
397			$post = get_post( $args[0] );
398			if ( ! $post ) {
399				$caps[] = 'do_not_allow';
400				break;
401			}
402
403			$post_type = get_post_type_object( $post->post_type );
404			if ( ! $post_type ) {
405				/* translators: 1: Post type, 2: Capability name. */
406				$message = __( 'The post type %1$s is not registered, so it may not be reliable to check the capability %2$s against a post of that type.' );
407
408				_doing_it_wrong(
409					__FUNCTION__,
410					sprintf(
411						$message,
412						'<code>' . $post->post_type . '</code>',
413						'<code>' . $cap . '</code>'
414					),
415					'4.4.0'
416				);
417
418				$caps[] = 'edit_others_posts';
419				break;
420			}
421
422			$caps[] = $post_type->cap->publish_posts;
423			break;
424		case 'edit_post_meta':
425		case 'delete_post_meta':
426		case 'add_post_meta':
427		case 'edit_comment_meta':
428		case 'delete_comment_meta':
429		case 'add_comment_meta':
430		case 'edit_term_meta':
431		case 'delete_term_meta':
432		case 'add_term_meta':
433		case 'edit_user_meta':
434		case 'delete_user_meta':
435		case 'add_user_meta':
436			$object_type = explode( '_', $cap )[1];
437
438			if ( ! isset( $args[0] ) ) {
439				if ( 'post' === $object_type ) {
440					/* translators: %s: Capability name. */
441					$message = __( 'When checking for the %s capability, you must always check it against a specific post.' );
442				} elseif ( 'comment' === $object_type ) {
443					/* translators: %s: Capability name. */
444					$message = __( 'When checking for the %s capability, you must always check it against a specific comment.' );
445				} elseif ( 'term' === $object_type ) {
446					/* translators: %s: Capability name. */
447					$message = __( 'When checking for the %s capability, you must always check it against a specific term.' );
448				} else {
449					/* translators: %s: Capability name. */
450					$message = __( 'When checking for the %s capability, you must always check it against a specific user.' );
451				}
452
453				_doing_it_wrong(
454					__FUNCTION__,
455					sprintf( $message, '<code>' . $cap . '</code>' ),
456					'6.1.0'
457				);
458
459				$caps[] = 'do_not_allow';
460				break;
461			}
462
463			$object_id = (int) $args[0];
464
465			$object_subtype = get_object_subtype( $object_type, $object_id );
466
467			if ( empty( $object_subtype ) ) {
468				$caps[] = 'do_not_allow';
469				break;
470			}
471
472			$caps = map_meta_cap( "edit_{$object_type}", $user_id, $object_id );
473
474			$meta_key = isset( $args[1] ) ? $args[1] : false;
475
476			if ( $meta_key ) {
477				$allowed = ! is_protected_meta( $meta_key, $object_type );
478
479				if ( has_filter( "auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}" ) ) {
480
481					/**
482					 * Filters whether the user is allowed to edit a specific meta key of a specific object type and subtype.
483					 *
484					 * The dynamic portions of the hook name, `$object_type`, `$meta_key`,
485					 * and `$object_subtype`, refer to the metadata object type (comment, post, term or user),
486					 * the meta key value, and the object subtype respectively.
487					 *
488					 * @since 4.9.8
489					 *
490					 * @param bool     $allowed   Whether the user can add the object meta. Default false.
491					 * @param string   $meta_key  The meta key.
492					 * @param int      $object_id Object ID.
493					 * @param int      $user_id   User ID.
494					 * @param string   $cap       Capability name.
495					 * @param string[] $caps      Array of the user's capabilities.
496					 */
497					$allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps );
498				} else {
499
500					/**
501					 * Filters whether the user is allowed to edit a specific meta key of a specific object type.
502					 *
503					 * Return true to have the mapped meta caps from `edit_{$object_type}` apply.
504					 *
505					 * The dynamic portion of the hook name, `$object_type` refers to the object type being filtered.
506					 * The dynamic portion of the hook name, `$meta_key`, refers to the meta key passed to map_meta_cap().
507					 *
508					 * @since 3.3.0 As `auth_post_meta_{$meta_key}`.
509					 * @since 4.6.0
510					 *
511					 * @param bool     $allowed   Whether the user can add the object meta. Default false.
512					 * @param string   $meta_key  The meta key.
513					 * @param int      $object_id Object ID.
514					 * @param int      $user_id   User ID.
515					 * @param string   $cap       Capability name.
516					 * @param string[] $caps      Array of the user's capabilities.
517					 */
518					$allowed = apply_filters( "auth_{$object_type}_meta_{$meta_key}", $allowed, $meta_key, $object_id, $user_id, $cap, $caps );
519				}
520
521				/**
522				 * Filters whether the user is allowed to edit meta for specific object types/subtypes.
523				 *
524				 * Return true to have the mapped meta caps from `edit_{$object_type}` apply.
525				 *
526				 * The dynamic portion of the hook name, `$object_type` refers to the object type being filtered.
527				 * The dynamic portion of the hook name, `$object_subtype` refers to the object subtype being filtered.
528				 * The dynamic portion of the hook name, `$meta_key`, refers to the meta key passed to map_meta_cap().
529				 *
530				 * @since 4.6.0 As `auth_post_{$post_type}_meta_{$meta_key}`.
531				 * @since 4.7.0 Renamed from `auth_post_{$post_type}_meta_{$meta_key}` to
532				 *              `auth_{$object_type}_{$object_subtype}_meta_{$meta_key}`.
533				 * @deprecated 4.9.8 Use {@see 'auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}'} instead.
534				 *
535				 * @param bool     $allowed   Whether the user can add the object meta. Default false.
536				 * @param string   $meta_key  The meta key.
537				 * @param int      $object_id Object ID.
538				 * @param int      $user_id   User ID.
539				 * @param string   $cap       Capability name.
540				 * @param string[] $caps      Array of the user's capabilities.
541				 */
542				$allowed = apply_filters_deprecated(
543					"auth_{$object_type}_{$object_subtype}_meta_{$meta_key}",
544					array( $allowed, $meta_key, $object_id, $user_id, $cap, $caps ),
545					'4.9.8',
546					"auth_{$object_type}_meta_{$meta_key}_for_{$object_subtype}"
547				);
548
549				if ( ! $allowed ) {
550					$caps[] = $cap;
551				}
552			}
553			break;
554		case 'edit_comment':
555			if ( ! isset( $args[0] ) ) {
556				/* translators: %s: Capability name. */
557				$message = __( 'When checking for the %s capability, you must always check it against a specific comment.' );
558
559				_doing_it_wrong(
560					__FUNCTION__,
561					sprintf( $message, '<code>' . $cap . '</code>' ),
562					'6.1.0'
563				);
564
565				$caps[] = 'do_not_allow';
566				break;
567			}
568
569			$comment = get_comment( $args[0] );
570			if ( ! $comment ) {
571				$caps[] = 'do_not_allow';
572				break;
573			}
574
575			$post = get_post( $comment->comment_post_ID );
576
577			/*
578			 * If the post doesn't exist, we have an orphaned comment.
579			 * Fall back to the edit_posts capability, instead.
580			 */
581			if ( $post ) {
582				$caps = map_meta_cap( 'edit_post', $user_id, $post->ID );
583			} else {
584				$caps = map_meta_cap( 'edit_posts', $user_id );
585			}
586			break;
587		case 'unfiltered_upload':
588			if ( defined( 'ALLOW_UNFILTERED_UPLOADS' ) && ALLOW_UNFILTERED_UPLOADS && ( ! is_multisite() || is_super_admin( $user_id ) ) ) {
589				$caps[] = $cap;
590			} else {
591				$caps[] = 'do_not_allow';
592			}
593			break;
594		case 'edit_css':
595		case 'unfiltered_html':
596			// Disallow unfiltered_html for all users, even admins and super admins.
597			if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML ) {
598				$caps[] = 'do_not_allow';
599			} elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
600				$caps[] = 'do_not_allow';
601			} else {
602				$caps[] = 'unfiltered_html';
603			}
604			break;
605		case 'edit_files':
606		case 'edit_plugins':
607		case 'edit_themes':
608			// Disallow the file editors.
609			if ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT ) {
610				$caps[] = 'do_not_allow';
611			} elseif ( ! wp_is_file_mod_allowed( 'capability_edit_themes' ) ) {
612				$caps[] = 'do_not_allow';
613			} elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
614				$caps[] = 'do_not_allow';
615			} else {
616				$caps[] = $cap;
617			}
618			break;
619		case 'update_plugins':
620		case 'delete_plugins':
621		case 'install_plugins':
622		case 'upload_plugins':
623		case 'update_themes':
624		case 'delete_themes':
625		case 'install_themes':
626		case 'upload_themes':
627		case 'update_core':
628			/*
629			 * Disallow anything that creates, deletes, or updates core, plugin, or theme files.
630			 * Files in uploads are excepted.
631			 */
632			if ( ! wp_is_file_mod_allowed( 'capability_update_core' ) ) {
633				$caps[] = 'do_not_allow';
634			} elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
635				$caps[] = 'do_not_allow';
636			} elseif ( 'upload_themes' === $cap ) {
637				$caps[] = 'install_themes';
638			} elseif ( 'upload_plugins' === $cap ) {
639				$caps[] = 'install_plugins';
640			} else {
641				$caps[] = $cap;
642			}
643			break;
644		case 'install_languages':
645		case 'update_languages':
646			if ( ! wp_is_file_mod_allowed( 'can_install_language_pack' ) ) {
647				$caps[] = 'do_not_allow';
648			} elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
649				$caps[] = 'do_not_allow';
650			} else {
651				$caps[] = 'install_languages';
652			}
653			break;
654		case 'activate_plugins':
655		case 'deactivate_plugins':
656		case 'activate_plugin':
657		case 'deactivate_plugin':
658			$caps[] = 'activate_plugins';
659			if ( is_multisite() ) {
660				// update_, install_, and delete_ are handled above with is_super_admin().
661				$menu_perms = get_site_option( 'menu_items', array() );
662				if ( empty( $menu_perms['plugins'] ) ) {
663					$caps[] = 'manage_network_plugins';
664				}
665			}
666			break;
667		case 'resume_plugin':
668			$caps[] = 'resume_plugins';
669			break;
670		case 'resume_theme':
671			$caps[] = 'resume_themes';
672			break;
673		case 'delete_user':
674		case 'delete_users':
675			// If multisite only super admins can delete users.
676			if ( is_multisite() && ! is_super_admin( $user_id ) ) {
677				$caps[] = 'do_not_allow';
678			} else {
679				$caps[] = 'delete_users'; // delete_user maps to delete_users.
680			}
681			break;
682		case 'create_users':
683			if ( ! is_multisite() ) {
684				$caps[] = $cap;
685			} elseif ( is_super_admin( $user_id ) || get_site_option( 'add_new_users' ) ) {
686				$caps[] = $cap;
687			} else {
688				$caps[] = 'do_not_allow';
689			}
690			break;
691		case 'manage_links':
692			if ( get_option( 'link_manager_enabled' ) ) {
693				$caps[] = $cap;
694			} else {
695				$caps[] = 'do_not_allow';
696			}
697			break;
698		case 'customize':
699			$caps[] = 'edit_theme_options';
700			break;
701		case 'delete_site':
702			if ( is_multisite() ) {
703				$caps[] = 'manage_options';
704			} else {
705				$caps[] = 'do_not_allow';
706			}
707			break;
708		case 'edit_term':
709		case 'delete_term':
710		case 'assign_term':
711			if ( ! isset( $args[0] ) ) {
712				/* translators: %s: Capability name. */
713				$message = __( 'When checking for the %s capability, you must always check it against a specific term.' );
714
715				_doing_it_wrong(
716					__FUNCTION__,
717					sprintf( $message, '<code>' . $cap . '</code>' ),
718					'6.1.0'
719				);
720
721				$caps[] = 'do_not_allow';
722				break;
723			}
724
725			$term_id = (int) $args[0];
726			$term    = get_term( $term_id );
727			if ( ! $term || is_wp_error( $term ) ) {
728				$caps[] = 'do_not_allow';
729				break;
730			}
731
732			$tax = get_taxonomy( $term->taxonomy );
733			if ( ! $tax ) {
734				$caps[] = 'do_not_allow';
735				break;
736			}
737
738			if ( 'delete_term' === $cap
739				&& ( (int) get_option( 'default_' . $term->taxonomy ) === $term->term_id
740					|| (int) get_option( 'default_term_' . $term->taxonomy ) === $term->term_id )
741			) {
742				$caps[] = 'do_not_allow';
743				break;
744			}
745
746			$taxo_cap = $cap . 's';
747
748			$caps = map_meta_cap( $tax->cap->$taxo_cap, $user_id, $term_id );
749
750			break;
751		case 'manage_post_tags':
752		case 'edit_categories':
753		case 'edit_post_tags':
754		case 'delete_categories':
755		case 'delete_post_tags':
756			$caps[] = 'manage_categories';
757			break;
758		case 'assign_categories':
759		case 'assign_post_tags':
760			$caps[] = 'edit_posts';
761			break;
762		case 'create_sites':
763		case 'delete_sites':
764		case 'manage_network':
765		case 'manage_sites':
766		case 'manage_network_users':
767		case 'manage_network_plugins':
768		case 'manage_network_themes':
769		case 'manage_network_options':
770		case 'upgrade_network':
771			$caps[] = $cap;
772			break;
773		case 'setup_network':
774			if ( is_multisite() ) {
775				$caps[] = 'manage_network_options';
776			} else {
777				$caps[] = 'manage_options';
778			}
779			break;
780		case 'update_php':
781			if ( is_multisite() && ! is_super_admin( $user_id ) ) {
782				$caps[] = 'do_not_allow';
783			} else {
784				$caps[] = 'update_core';
785			}
786			break;
787		case 'update_https':
788			if ( is_multisite() && ! is_super_admin( $user_id ) ) {
789				$caps[] = 'do_not_allow';
790			} else {
791				$caps[] = 'manage_options';
792				$caps[] = 'update_core';
793			}
794			break;
795		case 'export_others_personal_data':
796		case 'erase_others_personal_data':
797		case 'manage_privacy_options':
798			$caps[] = is_multisite() ? 'manage_network' : 'manage_options';
799			break;
800		case 'create_app_password':
801		case 'list_app_passwords':
802		case 'read_app_password':
803		case 'edit_app_password':
804		case 'delete_app_passwords':
805		case 'delete_app_password':
806			$caps = map_meta_cap( 'edit_user', $user_id, $args[0] );
807			break;
808		case 'edit_block_binding':
809			$block_editor_context = $args[0];
810			if ( isset( $block_editor_context->post ) ) {
811				$object_id = $block_editor_context->post->ID;
812			}
813			/*
814			 * If the post ID is null, check if the context is the site editor.
815			 * Fall back to the edit_theme_options in that case.
816			 */
817			if ( ! isset( $object_id ) ) {
818				if ( ! isset( $block_editor_context->name ) || 'core/edit-site' !== $block_editor_context->name ) {
819					$caps[] = 'do_not_allow';
820					break;
821				}
822				$caps = map_meta_cap( 'edit_theme_options', $user_id );
823				break;
824			}
825
826			$object_subtype = get_object_subtype( 'post', (int) $object_id );
827			if ( empty( $object_subtype ) ) {
828				$caps[] = 'do_not_allow';
829				break;
830			}
831			$post_type_object = get_post_type_object( $object_subtype );
832			// Initialize empty array if it doesn't exist.
833			if ( ! isset( $post_type_object->capabilities ) ) {
834				$post_type_object->capabilities = array();
835			}
836			$post_type_capabilities = get_post_type_capabilities( $post_type_object );
837			$caps                   = map_meta_cap( $post_type_capabilities->edit_post, $user_id, $object_id );
838			break;
839		default:
840			// Handle meta capabilities for custom post types.
841			global $post_type_meta_caps;
842			if ( isset( $post_type_meta_caps[ $cap ] ) ) {
843				return map_meta_cap( $post_type_meta_caps[ $cap ], $user_id, ...$args );
844			}
845
846			// Block capabilities map to their post equivalent.
847			$block_caps = array(
848				'edit_blocks',
849				'edit_others_blocks',
850				'publish_blocks',
851				'read_private_blocks',
852				'delete_blocks',
853				'delete_private_blocks',
854				'delete_published_blocks',
855				'delete_others_blocks',
856				'edit_private_blocks',
857				'edit_published_blocks',
858			);
859			if ( in_array( $cap, $block_caps, true ) ) {
860				$cap = str_replace( '_blocks', '_posts', $cap );
861			}
862
863			// If no meta caps match, return the original cap.
864			$caps[] = $cap;
865	}
866
867	/**
868	 * Filters the primitive capabilities required of the given user to satisfy the
869	 * capability being checked.
870	 *
871	 * @since 2.8.0
872	 *
873	 * @param string[] $caps    Primitive capabilities required of the user.
874	 * @param string   $cap     Capability being checked.
875	 * @param int      $user_id The user ID.
876	 * @param array    $args    Adds context to the capability check, typically
877	 *                          starting with an object ID.
878	 */
879	return apply_filters( 'map_meta_cap', $caps, $cap, $user_id, $args );
880}
881
882/**
883 * Returns whether the current user has the specified capability.
884 *
885 * This function also accepts an ID of an object to check against if the capability is a meta capability. Meta
886 * capabilities such as `edit_post` and `edit_user` are capabilities used by the `map_meta_cap()` function to
887 * map to primitive capabilities that a user or role has, such as `edit_posts` and `edit_others_posts`.
888 *
889 * Example usage:
890 *
891 *     current_user_can( 'edit_posts' );
892 *     current_user_can( 'edit_post', $post->ID );
893 *     current_user_can( 'edit_post_meta', $post->ID, $meta_key );
894 *
895 * While checking against particular roles in place of a capability is supported
896 * in part, this practice is discouraged as it may produce unreliable results.
897 *
898 * Note: Will always return true if the current user is a super admin, unless specifically denied.
899 *
900 * @since 2.0.0
901 * @since 5.3.0 Formalized the existing and already documented `...$args` parameter
902 *              by adding it to the function signature.
903 * @since 5.8.0 Converted to wrapper for the user_can() function.
904 *
905 * @see WP_User::has_cap()
906 * @see map_meta_cap()
907 *
908 * @param string $capability Capability name.
909 * @param mixed  ...$args    Optional further parameters, typically starting with an object ID.
910 * @return bool Whether the current user has the given capability. If `$capability` is a meta cap and `$object_id` is
911 *              passed, whether the current user has the given meta capability for the given object.
912 */
913function current_user_can( $capability, ...$args ) {
914	return user_can( wp_get_current_user(), $capability, ...$args );
915}
916
917/**
918 * Returns whether the current user has the specified capability for a given site.
919 *
920 * This function also accepts an ID of an object to check against if the capability is a meta capability. Meta
921 * capabilities such as `edit_post` and `edit_user` are capabilities used by the `map_meta_cap()` function to
922 * map to primitive capabilities that a user or role has, such as `edit_posts` and `edit_others_posts`.
923 *
924 * This function replaces the current_user_can_for_blog() function.
925 *
926 * Example usage:
927 *
928 *     current_user_can_for_site( $site_id, 'edit_posts' );
929 *     current_user_can_for_site( $site_id, 'edit_post', $post->ID );
930 *     current_user_can_for_site( $site_id, 'edit_post_meta', $post->ID, $meta_key );
931 *
932 * @since 6.7.0
933 *
934 * @param int    $site_id    Site ID.
935 * @param string $capability Capability name.
936 * @param mixed  ...$args    Optional further parameters, typically starting with an object ID.
937 * @return bool Whether the user has the given capability.
938 */
939function current_user_can_for_site( $site_id, $capability, ...$args ) {
940	$switched = is_multisite() ? switch_to_blog( $site_id ) : false;
941
942	$can = current_user_can( $capability, ...$args );
943
944	if ( $switched ) {
945		restore_current_blog();
946	}
947
948	return $can;
949}
950
951/**
952 * Returns whether the author of the supplied post has the specified capability.
953 *
954 * This function also accepts an ID of an object to check against if the capability is a meta capability. Meta
955 * capabilities such as `edit_post` and `edit_user` are capabilities used by the `map_meta_cap()` function to
956 * map to primitive capabilities that a user or role has, such as `edit_posts` and `edit_others_posts`.
957 *
958 * Example usage:
959 *
960 *     author_can( $post, 'edit_posts' );
961 *     author_can( $post, 'edit_post', $post->ID );
962 *     author_can( $post, 'edit_post_meta', $post->ID, $meta_key );
963 *
964 * @since 2.9.0
965 * @since 5.3.0 Formalized the existing and already documented `...$args` parameter
966 *              by adding it to the function signature.
967 *
968 * @param int|WP_Post $post       Post ID or post object.
969 * @param string      $capability Capability name.
970 * @param mixed       ...$args    Optional further parameters, typically starting with an object ID.
971 * @return bool Whether the post author has the given capability.
972 */
973function author_can( $post, $capability, ...$args ) {
974	$post = get_post( $post );
975	if ( ! $post ) {
976		return false;
977	}
978
979	$author = get_userdata( $post->post_author );
980
981	if ( ! $author ) {
982		return false;
983	}
984
985	return $author->has_cap( $capability, ...$args );
986}
987
988/**
989 * Returns whether a particular user has the specified capability.
990 *
991 * This function also accepts an ID of an object to check against if the capability is a meta capability. Meta
992 * capabilities such as `edit_post` and `edit_user` are capabilities used by the `map_meta_cap()` function to
993 * map to primitive capabilities that a user or role has, such as `edit_posts` and `edit_others_posts`.
994 *
995 * Example usage:
996 *
997 *     user_can( $user->ID, 'edit_posts' );
998 *     user_can( $user->ID, 'edit_post', $post->ID );
999 *     user_can( $user->ID, 'edit_post_meta', $post->ID, $meta_key );
1000 *
1001 * @since 3.1.0
1002 * @since 5.3.0 Formalized the existing and already documented `...$args` parameter
1003 *              by adding it to the function signature.
1004 *
1005 * @param int|WP_User $user       User ID or object.
1006 * @param string      $capability Capability name.
1007 * @param mixed       ...$args    Optional further parameters, typically starting with an object ID.
1008 * @return bool Whether the user has the given capability.
1009 */
1010function user_can( $user, $capability, ...$args ) {
1011	if ( ! is_object( $user ) ) {
1012		$user = get_userdata( $user );
1013	}
1014
1015	if ( empty( $user ) ) {
1016		// User is logged out, create anonymous user object.
1017		$user = new WP_User( 0 );
1018		$user->init( new stdClass() );
1019	}
1020
1021	return $user->has_cap( $capability, ...$args );
1022}
1023
1024/**
1025 * Returns whether a particular user has the specified capability for a given site.
1026 *
1027 * This function also accepts an ID of an object to check against if the capability is a meta capability. Meta
1028 * capabilities such as `edit_post` and `edit_user` are capabilities used by the `map_meta_cap()` function to
1029 * map to primitive capabilities that a user or role has, such as `edit_posts` and `edit_others_posts`.
1030 *
1031 * Example usage:
1032 *
1033 *     user_can_for_site( $user->ID, $site_id, 'edit_posts' );
1034 *     user_can_for_site( $user->ID, $site_id, 'edit_post', $post->ID );
1035 *     user_can_for_site( $user->ID, $site_id, 'edit_post_meta', $post->ID, $meta_key );
1036 *
1037 * @since 6.7.0
1038 *
1039 * @param int|WP_User $user       User ID or object.
1040 * @param int         $site_id    Site ID.
1041 * @param string      $capability Capability name.
1042 * @param mixed       ...$args    Optional further parameters, typically starting with an object ID.
1043 * @return bool Whether the user has the given capability.
1044 */
1045function user_can_for_site( $user, $site_id, $capability, ...$args ) {
1046	if ( ! is_object( $user ) ) {
1047		$user = get_userdata( $user );
1048	}
1049
1050	if ( empty( $user ) ) {
1051		// User is logged out, create anonymous user object.
1052		$user = new WP_User( 0 );
1053		$user->init( new stdClass() );
1054	}
1055
1056	// Check if the blog ID is valid.
1057	if ( ! is_numeric( $site_id ) || $site_id <= 0 ) {
1058		return false;
1059	}
1060
1061	$switched = is_multisite() ? switch_to_blog( $site_id ) : false;
1062
1063	$can = user_can( $user->ID, $capability, ...$args );
1064
1065	if ( $switched ) {
1066		restore_current_blog();
1067	}
1068
1069	return $can;
1070}
1071
1072/**
1073 * Retrieves the global WP_Roles instance and instantiates it if necessary.
1074 *
1075 * @since 4.3.0
1076 *
1077 * @global WP_Roles $wp_roles WordPress role management object.
1078 *
1079 * @return WP_Roles WP_Roles global instance if not already instantiated.
1080 */
1081function wp_roles() {
1082	global $wp_roles;
1083
1084	if ( ! isset( $wp_roles ) ) {
1085		$wp_roles = new WP_Roles();
1086	}
1087	return $wp_roles;
1088}
1089
1090/**
1091 * Retrieves role object.
1092 *
1093 * @since 2.0.0
1094 *
1095 * @param string $role Role name.
1096 * @return WP_Role|null WP_Role object if found, null if the role does not exist.
1097 */
1098function get_role( $role ) {
1099	return wp_roles()->get_role( $role );
1100}
1101
1102/**
1103 * Adds a role, if it does not exist.
1104 *
1105 * The list of capabilities can be passed either as a numerically indexed array of capability names, or an
1106 * associative array of boolean values keyed by the capability name. To explicitly deny the role a capability, set
1107 * the value for that capability to false.
1108 *
1109 * Examples:
1110 *
1111 *     // Add a role that can edit posts.
1112 *     add_role( 'custom_role', 'Custom Role', array(
1113 *         'read',
1114 *         'edit_posts',
1115 *     ) );
1116 *
1117 * Or, using an associative array:
1118 *
1119 *     // Add a role that can edit posts but explicitly cannot not delete them.
1120 *     add_role( 'custom_role', 'Custom Role', array(
1121 *         'read' => true,
1122 *         'edit_posts' => true,
1123 *         'delete_posts' => false,
1124 *     ) );
1125 *
1126 * @since 2.0.0
1127 * @since 6.9.0 Support was added for a numerically indexed array of strings for the capabilities array.
1128 *
1129 * @param string                               $role         Role name.
1130 * @param string                               $display_name Display name for role.
1131 * @param array<string,bool>|array<int,string> $capabilities Capabilities to be added to the role.
1132 *                                                           Default empty array.
1133 * @return WP_Role|void WP_Role object, if the role is added.
1134 */
1135function add_role( $role, $display_name, $capabilities = array() ) {
1136	if ( empty( $role ) ) {
1137		return;
1138	}
1139
1140	return wp_roles()->add_role( $role, $display_name, $capabilities );
1141}
1142
1143/**
1144 * Removes a role, if it exists.
1145 *
1146 * @since 2.0.0
1147 *
1148 * @param string $role Role name.
1149 */
1150function remove_role( $role ) {
1151	wp_roles()->remove_role( $role );
1152}
1153
1154/**
1155 * Retrieves a list of super admins.
1156 *
1157 * @since 3.0.0
1158 *
1159 * @global array $super_admins
1160 *
1161 * @return string[] List of super admin logins.
1162 */
1163function get_super_admins() {
1164	global $super_admins;
1165
1166	if ( isset( $super_admins ) ) {
1167		return $super_admins;
1168	} else {
1169		return get_site_option( 'site_admins', array( 'admin' ) );
1170	}
1171}
1172
1173/**
1174 * Determines whether user is a site admin.
1175 *
1176 * @since 3.0.0
1177 *
1178 * @param int|false $user_id Optional. The ID of a user. Defaults to false, to check the current user.
1179 * @return bool Whether the user is a site admin.
1180 */
1181function is_super_admin( $user_id = false ) {
1182	if ( ! $user_id ) {
1183		$user = wp_get_current_user();
1184	} else {
1185		$user = get_userdata( $user_id );
1186	}
1187
1188	if ( ! $user || ! $user->exists() ) {
1189		return false;
1190	}
1191
1192	if ( is_multisite() ) {
1193		$super_admins = get_super_admins();
1194		if ( is_array( $super_admins ) && in_array( $user->user_login, $super_admins, true ) ) {
1195			return true;
1196		}
1197	} elseif ( $user->has_cap( 'delete_users' ) ) {
1198		return true;
1199	}
1200
1201	return false;
1202}
1203
1204/**
1205 * Grants Super Admin privileges.
1206 *
1207 * @since 3.0.0
1208 *
1209 * @global array $super_admins
1210 *
1211 * @param int $user_id ID of the user to be granted Super Admin privileges.
1212 * @return bool True on success, false on failure. This can fail when the user is
1213 *              already a super admin or when the `$super_admins` global is defined.
1214 */
1215function grant_super_admin( $user_id ) {
1216	// If global super_admins override is defined, there is nothing to do here.
1217	if ( isset( $GLOBALS['super_admins'] ) || ! is_multisite() ) {
1218		return false;
1219	}
1220
1221	/**
1222	 * Fires before the user is granted Super Admin privileges.
1223	 *
1224	 * @since 3.0.0
1225	 *
1226	 * @param int $user_id ID of the user that is about to be granted Super Admin privileges.
1227	 */
1228	do_action( 'grant_super_admin', $user_id );
1229
1230	// Directly fetch site_admins instead of using get_super_admins().
1231	$super_admins = get_site_option( 'site_admins', array( 'admin' ) );
1232
1233	$user = get_userdata( $user_id );
1234	if ( $user && ! in_array( $user->user_login, $super_admins, true ) ) {
1235		$super_admins[] = $user->user_login;
1236		update_site_option( 'site_admins', $super_admins );
1237
1238		/**
1239		 * Fires after the user is granted Super Admin privileges.
1240		 *
1241		 * @since 3.0.0
1242		 *
1243		 * @param int $user_id ID of the user that was granted Super Admin privileges.
1244		 */
1245		do_action( 'granted_super_admin', $user_id );
1246		return true;
1247	}
1248	return false;
1249}
1250
1251/**
1252 * Revokes Super Admin privileges.
1253 *
1254 * @since 3.0.0
1255 * @since 6.9.0 Super admin privileges can be revoked regardless of email address.
1256 *
1257 * @global array $super_admins
1258 *
1259 * @param int $user_id ID of the user Super Admin privileges to be revoked from.
1260 * @return bool True on success, false on failure. This can fail when the user's email
1261 *              is the network admin email or when the `$super_admins` global is defined.
1262 */
1263function revoke_super_admin( $user_id ) {
1264	// If global super_admins override is defined, there is nothing to do here.
1265	if ( isset( $GLOBALS['super_admins'] ) || ! is_multisite() ) {
1266		return false;
1267	}
1268
1269	/**
1270	 * Fires before the user's Super Admin privileges are revoked.
1271	 *
1272	 * @since 3.0.0
1273	 *
1274	 * @param int $user_id ID of the user Super Admin privileges are being revoked from.
1275	 */
1276	do_action( 'revoke_super_admin', $user_id );
1277
1278	// Directly fetch site_admins instead of using get_super_admins().
1279	$super_admins = get_site_option( 'site_admins', array( 'admin' ) );
1280
1281	$user = get_userdata( $user_id );
1282	if ( $user ) {
1283		$key = array_search( $user->user_login, $super_admins, true );
1284		if ( false !== $key ) {
1285			unset( $super_admins[ $key ] );
1286			update_site_option( 'site_admins', $super_admins );
1287
1288			/**
1289			 * Fires after the user's Super Admin privileges are revoked.
1290			 *
1291			 * @since 3.0.0
1292			 *
1293			 * @param int $user_id ID of the user Super Admin privileges were revoked from.
1294			 */
1295			do_action( 'revoked_super_admin', $user_id );
1296			return true;
1297		}
1298	}
1299	return false;
1300}
1301
1302/**
1303 * Filters the user capabilities to grant the 'install_languages' capability as necessary.
1304 *
1305 * A user must have at least one out of the 'update_core', 'install_plugins', and
1306 * 'install_themes' capabilities to qualify for 'install_languages'.
1307 *
1308 * @since 4.9.0
1309 *
1310 * @param bool[] $allcaps An array of all the user's capabilities.
1311 * @return bool[] Filtered array of the user's capabilities.
1312 */
1313function wp_maybe_grant_install_languages_cap( $allcaps ) {
1314	if ( ! empty( $allcaps['update_core'] ) || ! empty( $allcaps['install_plugins'] ) || ! empty( $allcaps['install_themes'] ) ) {
1315		$allcaps['install_languages'] = true;
1316	}
1317
1318	return $allcaps;
1319}
1320
1321/**
1322 * Filters the user capabilities to grant the 'resume_plugins' and 'resume_themes' capabilities as necessary.
1323 *
1324 * @since 5.2.0
1325 *
1326 * @param bool[] $allcaps An array of all the user's capabilities.
1327 * @return bool[] Filtered array of the user's capabilities.
1328 */
1329function wp_maybe_grant_resume_extensions_caps( $allcaps ) {
1330	// Even in a multisite, regular administrators should be able to resume plugins.
1331	if ( ! empty( $allcaps['activate_plugins'] ) ) {
1332		$allcaps['resume_plugins'] = true;
1333	}
1334
1335	// Even in a multisite, regular administrators should be able to resume themes.
1336	if ( ! empty( $allcaps['switch_themes'] ) ) {
1337		$allcaps['resume_themes'] = true;
1338	}
1339
1340	return $allcaps;
1341}
1342
1343/**
1344 * Filters the user capabilities to grant the 'view_site_health_checks' capabilities as necessary.
1345 *
1346 * @since 5.2.2
1347 *
1348 * @param bool[]   $allcaps An array of all the user's capabilities.
1349 * @param string[] $caps    Required primitive capabilities for the requested capability.
1350 * @param array    $args {
1351 *     Arguments that accompany the requested capability check.
1352 *
1353 *     @type string    $0 Requested capability.
1354 *     @type int       $1 Concerned user ID.
1355 *     @type mixed  ...$2 Optional second and further parameters, typically object ID.
1356 * }
1357 * @param WP_User  $user    The user object.
1358 * @return bool[] Filtered array of the user's capabilities.
1359 */
1360function wp_maybe_grant_site_health_caps( $allcaps, $caps, $args, $user ) {
1361	if ( ! empty( $allcaps['install_plugins'] ) && ( ! is_multisite() || is_super_admin( $user->ID ) ) ) {
1362		$allcaps['view_site_health_checks'] = true;
1363	}
1364
1365	return $allcaps;
1366}
1367
1368return;
1369
1370// Dummy gettext calls to get strings in the catalog.
1371/* translators: User role for administrators. */
1372_x( 'Administrator', 'User role' );
1373/* translators: User role for editors. */
1374_x( 'Editor', 'User role' );
1375/* translators: User role for authors. */
1376_x( 'Author', 'User role' );
1377/* translators: User role for contributors. */
1378_x( 'Contributor', 'User role' );
1379/* translators: User role for subscribers. */
1380_x( 'Subscriber', 'User role' );
1381