The two functions, map_meta_cap and user_has_cap allow you to change capabilities on the fly without having to add to roles in the database. These also allow you to have a ton of flexibility.
Some examples from the talk:
If you can edit pages, you can edit widgets:
add_filter( 'user_has_cap',
function( $caps ) {
if ( ! empty( $caps['edit_pages'] ) )
$caps['edit_theme_options'] = true;
return $caps;
} );
Give secondary “administrators” less control:
add_filter( 'user_has_cap',
function( $caps, $cap, $args ) {
$user_id = $args[1];
$user = new WP_User( $user_id );
$email = $user->user_email;
if ( $email != get_option( 'admin_email' ) )
$caps['manage_options'] = false;
return $caps;
}, 10, 3 );
Don’t let anyone delete users:
add_filter( 'map_meta_cap',
function( $required_caps, $cap ) {
if ( 'delete_user' == $cap || 'delete_users' == $cap )
$required_caps[] = 'do_not_allow';
return $required_caps;
}, 10, 2 );
Only administrators can delete published posts:
add_filter( 'map_meta_cap',
function( $required_caps, $cap ) {
if ( 'delete_post' == $cap )
$required_caps[] = 'manage_options';
return $required_caps;
}, 10, 2 );
Require editors to approve posts:
add_filter( 'map_meta_cap',
function( $required_caps, $cap ) {
if ( 'publish_post' == $cap || 'publish_posts' == $cap )
$required_caps[] = 'edit_others_post';
return $required_caps;
}, 10, 2 );