Restricting User Access
I am not done with the whole tagging mess, yet there is a new requirement:
restrict user access to different parts of the site
- at least three access levels
- each next level supersedes the previous ones (no partial overlaps)
- restrict access to Pages (but I can bet your immortal sould that I will be asked to restrict access to Posts by category next).
Guess what… there are plenty of plug-ins, yet none take care of the whole thing.
A good list of plug-ins can be found here.
As far as I can tell, NONE protects both Posts and Pages. The best I can hope for is a combination of two plug-ins that can be configured to rely on the same roles.
Beyond the current requirements but potentially very useful: “Secure Files“.
Clearly, not much can be accomplished without the Role Manager.
Not right for my task (probably excellent in other environments):
- “Category Visibility” plug-in: “This method is not designed as a security device, only as a display method. A guest can still access a post by post number”.
- “Disclose-Secret” plug-in: very nice design, but no page restriction and no post restriction by category.
- “WP-Members” – “I intend to add the ability to block the loop based on categories so that some could be restricted and others open.”
- “Limit Categories” – it comes from the Role Manager author. If that one does not work, I do not know what does! – “Limits the categories to which users of
certain levels can make posts”
- “Pages for members only 0.2” – same question, what about the Roles – not really?
- “Subscribers-Only” – focused on Posts, uses Roles. Does not hide the excerpts. Not available. The author has been re-working it for at least half a yeear now.
- “User Permissions” – manages edit permissions only… but at least it works with Roles (why not create capabilities?) and it builds a nice side menu (re-usable code?)
- “Page Restriction” – works nicely with “Page Access” (which implements a proprietary Roles system).
So… what am I left with?
In a perfect world
- I would easily define capabilities like view.everyone and view.subscribers, and view.other – this can be done today.
- I would attach such capabilities to pages – probably can be done via custom fields (there is a plug-in for accessing them)
- I would be able to exclude such pages from display/search – via a filter? Now this would require coding.
- Ditto for posts
- Management of access capabilities for posts by category would be really nice. There are no “custom fields” for Categories though. So this would call for a propagation mechanism: “apply capability to every post in a category” and such.
- User Profile should display user capabilities
- When content is unavailable, a log-inpage should be presented, or, if the user is already logged in, an explanation why access is barred
- A function “is_capability()” needs to be defined. Or maybe it already exists? (Would be extremely useful for showing links to secured content.)
- A filter for wordpress functions that list links to pages/posts…
- A management interface – to select “access capabilities” sub-list from all capabilities. The sub-list will be uses in Page/Post Edit UI, and maybe in a separate management UI.
All in all.. not that much if I had time. Let’s see what happens. I have used Page Restriction with great success before, maybe I can twist it a bit for now till “Disclose-Secret” matures (it is getting there but I dislike that things do not show up in search and such – this is a result of a design decision and I do not see it overturned easily).
Update: “Disclose-Secret” now supports roles and capabilities. Way to go! It seems to be a clear winner.
The author has a strong (and justified) opinion about categories: “access restriction based onategories is not and will not be implemented into Disclose-Secret. You can achieve the same functionality be restricting access based on a capability.” I see the point.
About this entry
You’re currently reading “Restricting User Access,” an entry on N0T a Blog
- December 7, 2006 / 9:35 am