Note to self: the map_meta_cap conversation

The WordPress function current_user_can() calls $user->has_cap() which calls the map_meta_cap filter.

The purpose of map_meta_cap is to filter and return the list of capabilities that a user needs to complete a task. Essentially, the conversation goes something like this:

has_cap: “Hey, user ‘Dan’ would like to read_post 342. What caps will he need?”

map_meta_cap: “He’ll need read, read_post and read_published_posts

has_cap: “Cool. Let me see if he has all of those. … Looks like he does! I’ll let current_user_can() know.”

The other thing to remember is that capabilities are cumulative. Each additional cap that map_meta_cap returns makes the permission more restrictive: has_cap() will check each one in turn against the capabilities that the user has and bail out immediately if any are not present.