Roles and capabilities API

v1.2.1 2021-05-29 14:48 UTC

This package is auto-updated.

Last update: 2022-04-29 01:42:29 UTC


Capabilities and roles API

Registering a role


Assigning a role to a user

// Site wide role
elgg()->roles->assign('role_name', $user);

// Group specific role
elgg()->roles->assign('role_name', $user, $group);

Remove a role from a user

// Site wide role
elgg()->roles->unassign('role_name', $user);

// Group specific role
elgg()->roles->unassign('role_name', $user, $group);

Configuring role permissions

Creating entities of a specific type

// Prevent users with given role from creating entities of a given type
elgg()->roles->role_name->onCreate('object', 'blog', Role::DENY);

// Allow users to create entities of a given type regardless of context
elgg()->roles->role_name->onCreate('object', 'blog', Role::ALLOW, Role::OVERRIDE);

// Allow users to create entities of a given type if all other container permissins are met
elgg()->roles->role_name->onCreate('object', 'blog', Role::ALLOW, Role::STACK);

// Allow users to create entities when specific conditions are met
// Only allow group blogs
elgg()->roles->role_name->onCreate('object', 'blog', Role::DENY, function(\hypeJunction\Capabilities\Context $context) {
	$container = $context->getTarget();
	if (!$container instanceof ElggGroup) {
		return Role::DENY;

Update and delete permissions

Similar to above, you can use onUpdate and onDelete methods;

Granting administrative permissions

Administrative permissions imply high-level administrative action on entities, e.g. approving a certain post after moderation. By default, core does not use this privilege level, but you can check if the user has admin permissions over an entity like so:

$params = [
	'entity' => $entity,
	'user' => $user,
if (!elgg_trigger_plugin_hook('permissions_check:administer', "$entity->type:$entity->subtype", $params, false)) {
	// No permissions to approve
	throw new EntityPermissionsException();

// Do something that requires high level permissions, e.g.
$entity->published_status = 'published';

Granting/denying admin permissions

// Prevent users with given role from creating entities of a given type
// Allow moderator role to administer all blogs regardless of owner/container
elgg()->roles->moderator->onAdminister('object', 'blog', Role::ALLOW, Role::OVERRIDE);

// Allow users to create entities when specific conditions are met
// Allow teacher to administer all group blogs
elgg()->roles->teacher->canAdminister('object', 'blog', Role::ALLOW, function(\hypeJunction\Capabilities\Context $context) {
	$entity = $context->getTarget();
	$actor = $context->getActor();
	$container = $entity->getContainerEntity();
	return $container->canEdit($actor->guid);


You can allow/deny access to certain routes by route name

// Context parameter contain matched route elements
// e.g. prevent access to user profile if users are not friends
elgg()->roles->user->onRouteAccess('view:user', Role::DENY, function(\hypeJunction\Capabilities\Context $context) {
	$actor = $context->getActor();

	$username = $context->getParam('username');
	$user = get_user_by_username($username);

	if (!$actor || !$user instanceof ElggUser || !$actor->isFriendOf($user->guid)) {
		register_error('You must be friends to access user profiles');
		return Role::DENY;

// Here is an example of how to prevent access to member pages to non-logged in users:
elgg()->roles->guest->onRouteAccess('collection:user:user', Role::DENY);
elgg()->roles->guest->onRouteAccess('collection:user:user:alpha', Role::DENY);
elgg()->roles->guest->onRouteAccess('collection:user:user:newest', Role::DENY);
elgg()->roles->guest->onRouteAccess('collection:user:user:online', Role::DENY);
elgg()->roles->guest->onRouteAccess('collection:user:user:popular', Role::DENY);
elgg()->roles->guest->onRouteAccess('search:user:user', Role::DENY);
elgg()->roles->guest->onRouteAccess('view:user', Role::DENY);

Custom (component) capabilities

You can check and alter custom capabilities:

// Check a custom role
elgg()->roles->can('read', 'discussions');

// Define how role responds to capability check
elgg()->roles->guest->on('read', 'discussions', Role::DENY);

// Override role response
elgg_register_plugin_hook_handler('capability', 'read:discussions', function(Hook $hook) {