Currently there is a lot of confusing where each capability can be assigned, the main problem is that in CONTEXT_SYSTEM are capabilites that can be assigned everywhere but also some can be assigned only at at certain levels such (ex. blog capabilities at CONTEXT_SYSTEM only).
I am proposing a simple rule that would make things much easier to understand, both for developers and users:
- In capability definition (access.php file) contextlevel means the lowest level (== the highest number) where capability can be assigned. ****
Steps to implement:
1/ create new context level CONTEXT_ANYWHERE (any better name??) with value 100 (or higher)
2/ review all capability definitions and fix context level - CONTEXT_SYSTEM seems to be used too often
3/ fix role definition and overide gui to list the capabilities properly and explain the levels where each capability is applicable
4/ add diagnostic checks in debug mode to verify that capabilities are not used on lower levels than intended - it would catch some nasty bugs