Here’s a code patch for anyone bothered by Role Scoper’s disobedience of the child_of parameter.  Human translation: When you are viewing a page on the front end of your site, if your theme normally narrows the sidebar pages listing down to subpages of the current page, you will instead get a list of all viewable pages. The fix for this affects several files and will be included in the next Role Scoper revision. Until then, here is a manual code patch that will work if your wp_list_pages call is passing child_of and depth=1.

In wp-content/plugins/role-scoper/hardway/hardway_rs.php, add:
if ( ! empty($child_of) && ! empty($depth) && ( 1 == $depth ) ) {
foreach ( $pages as $key => $page ) {
if ( isset($page->post_parent) && ( $child_of != $page->post_parent ) )
unset($pages[$key]);
}
}
just before:
$cache[ $ckey ] = $pages;

Thanks to Marci for the bug report.

Due to a bug I introduced a few versions ago, private pages can only be listed in your site’s sidebar / topbar if Role Scoper’s hidden content teaser is enabled. To make private pages listable for users with a sufficient role, please perform the following officially sanctioned Role Scoper hack:

In wp-content/plugins/role-scoper/hardway/hardway_rs.php, add
if ( $list_private_pages ) $request = str_replace("AND post_status='publish'", "AND ( post_status IN ('publish','private') )", $request);
just before

if ( ( ! is_admin() && ! defined('XMLRPC_REQUEST')
As you know may know, this functionality also requires enabling the checkbox “include Private Pages in listing if user can read them” in Role Scoper Options.

An equivalent fix will be included in the next Role Scoper revision.

Starting around Role Scoper 0.9.15, a new Page Parent filtering scheme for non-administrators allowed pages to be displayed with correct hierarchy even if the user lacks association rights on one or more ancestors.  I must repent in sackcloth and ashes for the means used to accomplish this: re-querying pages at each branch of the parent tree.  This would have little effect for a simple tree of a few pages.  But for blogs with a lot of subpage branches, the slowdown and server drag could become trememdous.  This was easily corrected by querying pages once and passing the result to each branch.  I apologize for any frustration it may have caused page editors.

Also in Role Scoper 0.9.27 are a few fixes related to post editing by users with limited category access:

• fixed: Extremely slow loading of Page Parent dropdown due to recursive queries on page edit by non-administrator

• fixed: If a user who lacks editing capabilities in the default category saves a page without selecting a category, the post was stored as draft/pending in category “-1″ and the user could not re-edit it

• feature: If post would be set to default category but user lacks save/edit/publish capability there, it is instead defaulted to first category in user’s available list

• fixed: Post/Page counts on Manage Posts/Pages were not filtered correctly for users with ID > 9

Recent changes to the inner working of Role Scoper’s Hidden Content Teaser proved to clash with the Page Category Plus plugin. Anyone using this plugin in conjunction with Role Scoper should upgrade to Role Scoper 0.9.26 as soon as possible to avoid exposure of restricted or private content. At the very least, Page Category Plus users should disable Role Scoper’s Hidden Content Teaser until you are able to perform this upgrade.

For those not categorising pages, this is an optional update. There are a few minor fixes noted in the change log below. If these do not concern you, a reasonable option is to stick with the previous version, or revert to it if problems arise with 0.9.26.

Change log for Role Scoper 0.9.26:

Page Categories (Page Category Plus plugin + Categorized Pages + Role Scoper “Section Roles for Pages” realm setting):

• fixed: Using Page Categories with Teaser disabled for posts and pages, pages in an Exclusive Readers category were exposed in the posts listing

• fixed: Using Page Categories with Teaser disabled for posts and pages, visible pages did not force their category into the categories list

• fixed: Using Page Categories With Teaser enabled for posts or pages, various inappropriate exposure of private / exclusive pages and posts

• fixed: Using Page Categories, false teaser displayed for some posts/pages (though direct access granted)

• fixed: Using Page Categories, false teaser displayed to Administrator

• fixed: Using Page Categories, Pages were not correctly accounted in category count

• fixed: Using Page Categories, when Manage Posts list is filtered by Category, Category Roles and Object Roles columns became invalid for mixed results of Posts and Pages

Admin - General:

• fixed: In Post/Page role assignement users list, indication of implicitly owned roles did not correctly account for Exclusive Sections settings

• fixed: 404 message instead of Teaser for direct access attempt to private Post/Page

• change: Different approach to forcing inclusion of private posts/pages for qualified users or teasing, eliminates risk of content exposure to unqualified users due to unexpected configuration such as occurred with Page Category Plus.

• change: In the Role tabs of Post/Page Edit form, captions next to “Exclusive” checkbox are more descriptive

• change: In the Readers tab of Post/Page Edit form, caption cites “Readers” role (was “Private Page Readers”)

The recent releases of Role Scoper don’t deal well with categorized pages, especially when the Hidden Content Teaser is enabled.  I will post a fix for later tonight.  This only affects users of Page Category Plus or other page-categorizing plugins.

Late last night I was very non-pleased to discover that, although Role Scoper 0.9.24 correctly displayed the published, private and draft totals based on the user’s editing access, it did not see fit to preserve the paging links that would allow me to step past the 15 most recent entries. Another bug discovery requiring an immediate fix.

It turns out that my solution to the previous Teaser activation problem (hooking it to posts_results) was fine for the teaser, but not for my other logging and analysis of listed results. Since that analysis involved another query, it reset the “found rows” count which WordPress relies on for the paging. Now that code is moved back to the_posts, where it does not bother anyone. As much as I hated to toss out yet another release, I thought those of you who downloaded 0.9.24 would like your paging links back.

Release Notes for Role Scoper 0.9.25:

Admin - General:

• fixed: Vanished paging links in Manage Posts and Manage Pages

• fixed: In WP 2.6, each Revision save caused a superfluous copy of object role assignments to be stored

• fixed: On Exclusive Object Roles page, some settings were hidden from Administrators (though displayed in single Post/Page edit and Manage Posts/Pages list)

• fixed: PHP warning in Dashboard if no comments were stored

• feature: While viewing Roles->Section Roles, main Groups tab links to Groups->Section Roles. Likewise in reverse and for Blog Roles

Realm Settings:

• fixed: If “Object Roles for Posts/Pages” was switched off, Object Roles were not honored but Object Role requirements (Exclusive Object Roles) were still enforced.

• fixed: If “Object Roles for Posts/Pages” was switched off, Object Role tabs still appeared in the Post/Page edit form and in the Manage Posts/Pages columns

• fixed: If front-end or admin filtering was switched off, some content restriction/allowance was still performed

• fixed: Disabling category or link category created errors. Switch is now removed. Custom WordPress taxonomies can still be activated/deactivated.

• fixed: More descriptive captions on Realm page

Here we go again. Let’s hope you all enjoy my soothing green download screen. I have a bad habit of waking up to the realization of some oversight I made in the previous night’s coding fury. It’s surely not the ideal development model, but since Role Scoper is determined to have a say in everything WordPress displays or saves (and doesn’t always have convenient hooks for doing so), I need to act quickly when it misbehaves. Thanks to everyone who has patiently followed these releases; I see clear progress toward the grand CMS permissions goal.

Thanks to June for the continuing feedback on Hidden Content Teaser issues (seemingly now resolved).

The change log for Role Scoper 0.9.24:

Category Management by non-Administrator:

• fixed: When the parent category was hidden, could not edit without changing actual parent category

• fixed: “Manage Categories” list was overly restricted

Hidden Content Teaser:

• fixed: Teaser was not working for pages (was always hiding them)

Admin - Exclusive Sections / Section Roles:

• change: Link to Exclusive Sections from single Category Edit page is now captioned “Access Restriction (Exclusive Sections)”

• fun feature: Scroll links in Section Roles and Exclusive Sections are color-trended and size-trended to illustrate hierarchy

Here’s a reasonably happy ending to a brutal day here in the land of high hopes and outrageous aspirations. Am I paying for my insistance on taking big bites? My morning started with three reports - two from “veteran” scopers:

1. “My private pages are all suddenly listed and readable”
2. “My hidden content teaser stopped working; now all those posts are exposed”
3. “When I activated Role Scoper it uncategorized all my posts (and this with WordPress 2.5)”

And this was supposed to be the day when I start working on something else. Well, I explained (1) as a configuration issue which led to some interesting points about wp_list_pages behavior.

Bug (2) was due to some combination of undeclared property variables (fine on most servers but not on that one) and variable scope issues with functions hooked to the_posts. Switching to posts_results filtering did the trick.  This fix probably also corrects other unreported bugs on susceptible servers.  If you have struggled making Role Scoper do things that seem to work for everyone else, give this a shot.

(3) is still unresolved and unconfirmed, but I did put every sensible safeguard in place to make it seemingly impossible for Role Scoper’s category filtering to strip existing stored categories.

While on this bug hunt, I also corrected some other Teaser issues as well as several Category filtering bugs. The change log for Role Scoper 0.9.23:

Hidden Content Teaser:

• fixed: Hidden Content Teaser failed on some servers due to RS use of undeclared properties and unreliability of WordPress the_posts hook for this purpose (using posts_results instead)

• fixed: potentially, other undiscovered bugs related to the failure of undeclared properties on some servers

• fixed: Comments were visible even in posts hidden with teaser

• fixed: With teaser on, visible pages below a private page did not retain their hierarchy

• fixed: Teaser was teasing unviewable private pages even if the “include private pages if user can read them” option was disabled. Now, if that setting is activated, private pages will never be listed or teased.

Categories:

• fixed: For Users < WP editor, other users’ published posts could be listed and edited (but not saved) if user had a Section Role assignment of Author in one of the post categories

• fixed: (theoretically) Imposed safeguards against potential stripping of existing post categories/tags, reported by one user and potentially possible if a post save operation was triggered from an unusual URI. Now limit RS category/tag filtering to expected URIs

• fixed: Categories with Exclusive Section settings were not filtered properly with “Realms -> Section Roles for Pages” enabled. This would pertain to installations that use Page Category Plus

• fixed: Non-admin users with Category management in a category could modify Exclusive Sections settings for roles they do not possess, effectively promoting themselves to a higher category role.

• fixed: After a Section Role or Exclusive Sections setting which lowers the user’s own administration rights, newly inaccessable categories did not disappear from the UI until after the next page reload

Yes, officially, the third release within 24 hours: Role Scoper 0.9.22 These recent revisions have lots of significant features and bug fixes; it feels like circling in on some stability and completion. I plan to limit my Scoping time over the next couple weeks to only serious bugs which may arise, so now is a good time to upgrade.

The headline feature is a separate Hidden Content Teaser enable for posts and pages. Previously, posts and pages markup and teaser messages could be configured separately but had a shared on/off switch. In reality, the teaser was never applied to the page listing (pages were just dropped off the list). Now it is.

When the teaser is activated, inaccessible content will be replaced by a message of your choice. Otherwise (by default) it is completely hidden.

• feature: Activate Teaser separately for posts, pages

• fixed: Inaccessable pages were always hidden (never teased) regardless of Teaser setting

• fixed: Posts which are exclusive due to Exclusive Section were not flagged by is_exclusive_rs() template function

• fixed: (important): For Category Management (including Section Role assignment and Exclusive Sections modification), non-Admin users were not properly limited by Exclusive Sections settings.

• fixed: WP 2.2 compatability was broken; restored now. (mainly an excercise to ensure support of custom data source and taxonomy schemas)

Roadmap for the next planned release (ETA 2 weeks):

My plan for the next release is to pursue some plugin compatability issues. Role Scoper seems to conflict with some plugins/widgets that do custom login/logout redirection (MiniMeta widget is an unconfirmed suspect). One symptom reported by 2 or 3 people has been 500 Server Error on Role Scoper activation. Also a report on conflicts with the AMember plugin which will take me some effort to replicate.

WordPress 2.6 introduces Post/Page revisioning.  When you use Role Scoper to customize editing access, it would be nice if a user’s access to revision management followed their regular editing access.

Well, this afternoon I realized that with a little more work I could probably make Role Scoper work that way,  so I did it.  This is the only change from version 0.9.20, but it is a significant feature for those who want to grant or restrict editing access beyond a user’s WordPress blog role.  Make it happen with Role Scoper 0.9.21