Skip to main content

USER

Vasyl MartyniukAbout 2 min

Syntax

${USER.<pathToProperty>}

FYI!

The pathToProperty is a valid marker path to any property the WP_User instance may have. Also due to the way the WordPress core class WP_User is implemented, you can also target any user meta value. For more information refer to WP_User::__get()open in new window

Definition

The USER marker allows getting current user attributes. The current user object initializes before the WordPress core action initopen in new window triggers. It is stored in the global $current_user and contains the instance of the WP_Useropen in new window class. This object has all the information about the user, and you can use it to prepare different conditions for your policy statements.

FYI!

The USER marker is applicable for non-authenticated users (visitors). In this case only very limited number of properties are available.

For example, you can prepare a statement that is applicable to a user with an email that has the gmail.com domain.

{
    "Statement": [
        {
            "Effect": "allow",
            "Resource": "Post:post:hello-world",
            "Action": "Read",
            "Condition": {
                "Like": {
                    "${USER.user_email}": "*@gmail.com"
                }
            }
        }
    ]
}

Default USER attributes

WordPress core has the following default user attributes, but they may vary depending on your WordPress core version:

stdClass Object
(
    [ID] => 32
    [user_login] => johnsmith
    [user_pass] => $P$Be4IePMt83FnFmmGIOpnBkNZNQyOti.
    [user_nicename] => John
    [user_email] => johnsmith@testing.local
    [user_url] =>
    [user_registered] => 2024-04-05 01:02:42
    [user_activation_key] =>
    [user_status] => 0
    [display_name] => John Smith
    [user_level] => 5
)

You can target any of this attributes by properly defining the USER marker. For example, to get the user registered date and time, you can use the ${USER.user_registered} marker.

Keep in mind!

May WordPress plugins and theme extend this object with additional attributes and they all are available for you to use in access policies.

IP Attribute

The reserved attribute ip or ipaddress extracts the current user’s IP address. This allows you to apply statements specifically to the current user based on their IP address or IP range (depending on the condition used).

For instance, the following condition applies to a user coming from the IP range 10.123.10.0 – 10.123.10.255:

{
    "Statement": [
        {
            "Effect": "allow",
            "Resource": "Taxonomy:product_category:terms",
            "Action": "Browse",
            "Condition": {
                "Between": {
                    "(*ip)${USER.ip}": [
                        "(*ip)10.123.10.0",
                        "(*ip)10.123.10.255"
                    ]
                }
            }
        }
    ]
}

AAM 6.0.24+ also supports IP CIDR annotations, enhancing how conditions based on IP addresses are managed. For example, the following statement restricts access to any admin page if the user is not coming from the internal IP range:

{
    "Statement": {
        "Effect": "deny",
        "Resource": "/wp-admin*",
        "Condition": {
            "NotIn": {
                "${USER.ip}": "(*ip)10.1.23.0/24"
            }
        }
    }
}

Important!

It's crucial to use (*ip) typecast with CIDR annotation to explicitly inform AAM that this should be treated as an IP.

Authenticated Attribute

Another reserved attribute is authenticated or isAuthenticated, which returns a boolean true value if the user is logged in. Internally, it uses the WordPress core function is_user_logged_inopen in new window.

The following statement personalizes the access denied message if the user is logged in by embedding their display name:

{
    "Param": [
        {
            "Key": "redirect:on:access-denied:frontend",
            "Value": {
                "Type": "message",
                "Message": "Sorry ${USER.display_name}, you cannot access this restricted area."
            },
            "Condition": {
                "Equals": {
                    "(*bool)${USER.isAuthenticated}": true
                }
            }
        }
    ]
}

Caps Attribute

The caps or capabilities attribute accesses the array of all capabilities assigned to the current user. This allows you to declare statements and parameters that are conditional based on the user's privileges. For example, the following policy restricts the ability to manage pages if the user does not have the custom capability company_super_editor:

{
    "Statement": {
        "Effect": "deny",
        "Resource": "PostType:page:posts",
        "Action": [
            "Edit",
            "Delete",
            "Publish"
        ],
        "Condition": {
            "NotIn": {
                "company_super_editor": "(*array)${USER.caps}"
            }
        }
    }
}