Restricting User Access

I am not done with the whole tagging mess, yet there is a new requirement:

restrict user access to different parts of the site

• at least three access levels
• each next level supersedes the previous ones (no partial overlaps)
• restrict access to Pages (but I can bet your immortal sould that I will be asked to restrict access to Posts by category next).

Guess what… there are plenty of plug-ins, yet none take care of the whole thing.

A good list of plug-ins can be found here.

As far as I can tell, NONE protects both Posts and Pages. The best I can hope for is a combination of two plug-ins that can be configured to rely on the same roles.

Beyond the current requirements but potentially very useful: “Secure Files“.

Clearly, not much can be accomplished without the Role Manager.

Not right for my task (probably excellent in other environments):

• “Category Visibility” plug-in: “This method is not designed as a security device, only as a display method. A guest can still access a post by post number”.
• “Disclose-Secret” plug-in: very nice design, but no page restriction and no post restriction by category.
• “WP-Members” – “I intend to add the ability to block the loop based on categories so that some could be restricted and others open.”
• “Limit Categories” – it comes from the Role Manager author. If that one does not work, I do not know what does! – “Limits the categories to which users of
  certain levels can make posts”
• “Pages for members only 0.2” – same question, what about the Roles – not really?
• “Subscribers-Only” – focused on Posts, uses Roles. Does not hide the excerpts. Not available. The author has been re-working it for at least half a yeear now.

Got potential:

• “User Permissions” – manages edit permissions only… but at least it works with Roles (why not create capabilities?) and it builds a nice side menu (re-usable code?)
• “Page Restriction” – works nicely with “Page Access” (which implements a proprietary Roles system).

So… what am I left with?

In a perfect world

• I would easily define capabilities like view.everyone and view.subscribers, and view.other – this can be done today.
• I would attach such capabilities to pages – probably can be done via custom fields (there is a plug-in for accessing them)
• I would be able to exclude such pages from display/search – via a filter? Now this would require coding.
• Ditto for posts
• Management of access capabilities for posts by category would be really nice. There are no “custom fields” for Categories though. So this would call for a propagation mechanism: “apply capability to every post in a category” and such.
• User Profile should display user capabilities
• When content is unavailable, a log-inpage should be presented, or, if the user is already logged in, an explanation why access is barred
• A function “is_capability()” needs to be defined. Or maybe it already exists? (Would be extremely useful for showing links to secured content.)
• A filter for wordpress functions that list links to pages/posts…
• A management interface – to select “access capabilities” sub-list from all capabilities. The sub-list will be uses in Page/Post Edit UI, and maybe in a separate management UI.

All in all.. not that much if I had time. Let’s see what happens. I have used Page Restriction with great success before, maybe I can twist it a bit for now till “Disclose-Secret” matures (it is getting there but I dislike that things do not show up in search and such – this is a result of a design decision and I do not see it overturned easily).

Update: “Disclose-Secret” now supports roles and capabilities. Way to go! It seems to be a clear winner.

The author has a strong (and justified) opinion about categories: “access restriction based onategories is not and will not be implemented into Disclose-Secret. You can achieve the same functionality be restricting access based on a capability.” I see the point.