initial

includes/RsvCapabilities.php

@@ -0,0 +1,60 @@
+<?php
+
+if ( ! defined( 'ABSPATH' ) ) {
+	exit; // Exit if accessed directly.
+}
+
+/**
+ * Central definition and lifecycle for the plugin's custom capability.
+ *
+ * `manage_reservations` gates every administrative REST endpoint. It is granted to the
+ * roles in DEFAULT_ROLES on activation.
+ *
+ * Because WordPress only runs the activation hook on *activate* (never on a
+ * plugin update), ensure() re-grants the capability when the stored version
+ * lags behind, so an update can never silently lock admins out of the API.
+ */
+final class RsvCapabilities {
+	/** The capability that authorises managing reservation data. */
+	public const MANAGE = 'manage_reservations';
+
+	/** Bumped whenever the capability set changes, to drive re-grants on update. */
+	public const VERSION = '1';
+
+	/** Option that records which capability VERSION has been applied. */
+	private const VERSION_OPTION = 'rsv_caps_version';
+
+	/** Roles that receive the capability by default. */
+	private const DEFAULT_ROLES = [ 'administrator' ];
+
+	/**
+	 * Grant the capability to the default roles, then record the version.
+	 * Idempotent and safe to call on activation and on every bootstrap.
+	 */
+	public static function ensure(): void {
+		if ( get_option( self::VERSION_OPTION ) === self::VERSION ) {
+			return;
+		}
+
+		foreach ( self::DEFAULT_ROLES as $role_name ) {
+			$role = get_role( $role_name );
+			if ( $role && ! $role->has_cap( self::MANAGE ) ) {
+				$role->add_cap( self::MANAGE );
+			}
+		}
+
+		update_option( self::VERSION_OPTION, self::VERSION );
+	}
+
+	/** Remove the capability from every role and clear the version marker. */
+	public static function revoke(): void {
+		foreach ( array_keys( wp_roles()->roles ) as $role_name ) {
+			$role = get_role( $role_name );
+			if ( $role ) {
+				$role->remove_cap( self::MANAGE );
+			}
+		}
+
+		delete_option( self::VERSION_OPTION );
+	}
+}