Access Control Patterns

When debugging this issue in Co-Authors-Plus plugin for WordPress, I’ve read relevant classes, functions, and hooks regarding roles and capabilities in WordPress core. That triggers my curiosity to get to know more about how to design access control for applications.

This post is not really a summary or research. It’s more a note of mine for articles I’ve collected.

Photo by Sora Shimazaki on

As mentioned in this Wikipedia page, there are over 12 patterns. However, the most common are 3 following patterns:

  • Discretionary Access Control (DAC)
  • Mandatory Access control (MAC)
  • Role-based Access Control (RBAC) – I will focus more on this pattern as it’s very popular in web development.

Good Articles

For the last one, there are some good things to remember:

  • Give permissions to activities, not roles. For example, it should not present like this: A shop manager can edit products. It should be: A shop manager has the edit_product permission. To edit products, any user needs to have edit_product permission. This reduces errors and bring flexibility. For example, in the future, the business needs to have another role like Warehouse Staff. We just need to create this role and assign edit_product to it. The original code handles the editing product does not need to be changed.
  • If we code to the role, we need to write more something like: A shop manager and a warehouse staff can edit products.
  • Deny permission by default rather than accept by default.
  • Never depend on untrusted data (aka provided by users).

WordPress in Specific!

WordPress follows the RBAC pattern:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s