Recent changes to the inner working of Role Scoper’s Hidden Content Teaser proved to clash with the Page Category Plus plugin. Anyone using this plugin in conjunction with Role Scoper should upgrade to Role Scoper 0.9.26 as soon as possible to avoid exposure of restricted or private content. At the very least, Page Category Plus users should disable Role Scoper’s Hidden Content Teaser until you are able to perform this upgrade.

For those not categorising pages, this is an optional update. There are a few minor fixes noted in the change log below. If these do not concern you, a reasonable option is to stick with the previous version, or revert to it if problems arise with 0.9.26.

Change log for Role Scoper 0.9.26:

Page Categories (Page Category Plus plugin + Categorized Pages + Role Scoper “Section Roles for Pages” realm setting):

• fixed: Using Page Categories with Teaser disabled for posts and pages, pages in an Exclusive Readers category were exposed in the posts listing

• fixed: Using Page Categories with Teaser disabled for posts and pages, visible pages did not force their category into the categories list

• fixed: Using Page Categories With Teaser enabled for posts or pages, various inappropriate exposure of private / exclusive pages and posts

• fixed: Using Page Categories, false teaser displayed for some posts/pages (though direct access granted)

• fixed: Using Page Categories, false teaser displayed to Administrator

• fixed: Using Page Categories, Pages were not correctly accounted in category count

• fixed: Using Page Categories, when Manage Posts list is filtered by Category, Category Roles and Object Roles columns became invalid for mixed results of Posts and Pages

Admin - General:

• fixed: In Post/Page role assignement users list, indication of implicitly owned roles did not correctly account for Exclusive Sections settings

• fixed: 404 message instead of Teaser for direct access attempt to private Post/Page

• change: Different approach to forcing inclusion of private posts/pages for qualified users or teasing, eliminates risk of content exposure to unqualified users due to unexpected configuration such as occurred with Page Category Plus.

• change: In the Role tabs of Post/Page Edit form, captions next to “Exclusive” checkbox are more descriptive

• change: In the Readers tab of Post/Page Edit form, caption cites “Readers” role (was “Private Page Readers”)

The recent releases of Role Scoper don’t deal well with categorized pages, especially when the Hidden Content Teaser is enabled.  I will post a fix for later tonight.  This only affects users of Page Category Plus or other page-categorizing plugins.

Late last night I was very non-pleased to discover that, although Role Scoper 0.9.24 correctly displayed the published, private and draft totals based on the user’s editing access, it did not see fit to preserve the paging links that would allow me to step past the 15 most recent entries. Another bug discovery requiring an immediate fix.

It turns out that my solution to the previous Teaser activation problem (hooking it to posts_results) was fine for the teaser, but not for my other logging and analysis of listed results. Since that analysis involved another query, it reset the “found rows” count which WordPress relies on for the paging. Now that code is moved back to the_posts, where it does not bother anyone. As much as I hated to toss out yet another release, I thought those of you who downloaded 0.9.24 would like your paging links back.

Release Notes for Role Scoper 0.9.25:

Admin - General:

• fixed: Vanished paging links in Manage Posts and Manage Pages

• fixed: In WP 2.6, each Revision save caused a superfluous copy of object role assignments to be stored

• fixed: On Exclusive Object Roles page, some settings were hidden from Administrators (though displayed in single Post/Page edit and Manage Posts/Pages list)

• fixed: PHP warning in Dashboard if no comments were stored

• feature: While viewing Roles->Section Roles, main Groups tab links to Groups->Section Roles. Likewise in reverse and for Blog Roles

Realm Settings:

• fixed: If “Object Roles for Posts/Pages” was switched off, Object Roles were not honored but Object Role requirements (Exclusive Object Roles) were still enforced.

• fixed: If “Object Roles for Posts/Pages” was switched off, Object Role tabs still appeared in the Post/Page edit form and in the Manage Posts/Pages columns

• fixed: If front-end or admin filtering was switched off, some content restriction/allowance was still performed

• fixed: Disabling category or link category created errors. Switch is now removed. Custom WordPress taxonomies can still be activated/deactivated.

• fixed: More descriptive captions on Realm page

Here we go again. Let’s hope you all enjoy my soothing green download screen. I have a bad habit of waking up to the realization of some oversight I made in the previous night’s coding fury. It’s surely not the ideal development model, but since Role Scoper is determined to have a say in everything WordPress displays or saves (and doesn’t always have convenient hooks for doing so), I need to act quickly when it misbehaves. Thanks to everyone who has patiently followed these releases; I see clear progress toward the grand CMS permissions goal.

Thanks to June for the continuing feedback on Hidden Content Teaser issues (seemingly now resolved).

The change log for Role Scoper 0.9.24:

Category Management by non-Administrator:

• fixed: When the parent category was hidden, could not edit without changing actual parent category

• fixed: “Manage Categories” list was overly restricted

Hidden Content Teaser:

• fixed: Teaser was not working for pages (was always hiding them)

Admin - Exclusive Sections / Section Roles:

• change: Link to Exclusive Sections from single Category Edit page is now captioned “Access Restriction (Exclusive Sections)”

• fun feature: Scroll links in Section Roles and Exclusive Sections are color-trended and size-trended to illustrate hierarchy

Here’s a reasonably happy ending to a brutal day here in the land of high hopes and outrageous aspirations. Am I paying for my insistance on taking big bites? My morning started with three reports - two from “veteran” scopers:

1. “My private pages are all suddenly listed and readable”
2. “My hidden content teaser stopped working; now all those posts are exposed”
3. “When I activated Role Scoper it uncategorized all my posts (and this with WordPress 2.5)”

And this was supposed to be the day when I start working on something else. Well, I explained (1) as a configuration issue which led to some interesting points about wp_list_pages behavior.

Bug (2) was due to some combination of undeclared property variables (fine on most servers but not on that one) and variable scope issues with functions hooked to the_posts. Switching to posts_results filtering did the trick.  This fix probably also corrects other unreported bugs on susceptible servers.  If you have struggled making Role Scoper do things that seem to work for everyone else, give this a shot.

(3) is still unresolved and unconfirmed, but I did put every sensible safeguard in place to make it seemingly impossible for Role Scoper’s category filtering to strip existing stored categories.

While on this bug hunt, I also corrected some other Teaser issues as well as several Category filtering bugs. The change log for Role Scoper 0.9.23:

Hidden Content Teaser:

• fixed: Hidden Content Teaser failed on some servers due to RS use of undeclared properties and unreliability of WordPress the_posts hook for this purpose (using posts_results instead)

• fixed: potentially, other undiscovered bugs related to the failure of undeclared properties on some servers

• fixed: Comments were visible even in posts hidden with teaser

• fixed: With teaser on, visible pages below a private page did not retain their hierarchy

• fixed: Teaser was teasing unviewable private pages even if the “include private pages if user can read them” option was disabled. Now, if that setting is activated, private pages will never be listed or teased.

Categories:

• fixed: For Users < WP editor, other users’ published posts could be listed and edited (but not saved) if user had a Section Role assignment of Author in one of the post categories

• fixed: (theoretically) Imposed safeguards against potential stripping of existing post categories/tags, reported by one user and potentially possible if a post save operation was triggered from an unusual URI. Now limit RS category/tag filtering to expected URIs

• fixed: Categories with Exclusive Section settings were not filtered properly with “Realms -> Section Roles for Pages” enabled. This would pertain to installations that use Page Category Plus

• fixed: Non-admin users with Category management in a category could modify Exclusive Sections settings for roles they do not possess, effectively promoting themselves to a higher category role.

• fixed: After a Section Role or Exclusive Sections setting which lowers the user’s own administration rights, newly inaccessable categories did not disappear from the UI until after the next page reload

Yes, officially, the third release within 24 hours: Role Scoper 0.9.22 These recent revisions have lots of significant features and bug fixes; it feels like circling in on some stability and completion. I plan to limit my Scoping time over the next couple weeks to only serious bugs which may arise, so now is a good time to upgrade.

The headline feature is a separate Hidden Content Teaser enable for posts and pages. Previously, posts and pages markup and teaser messages could be configured separately but had a shared on/off switch. In reality, the teaser was never applied to the page listing (pages were just dropped off the list). Now it is.

When the teaser is activated, inaccessible content will be replaced by a message of your choice. Otherwise (by default) it is completely hidden.

• feature: Activate Teaser separately for posts, pages

• fixed: Inaccessable pages were always hidden (never teased) regardless of Teaser setting

• fixed: Posts which are exclusive due to Exclusive Section were not flagged by is_exclusive_rs() template function

• fixed: (important): For Category Management (including Section Role assignment and Exclusive Sections modification), non-Admin users were not properly limited by Exclusive Sections settings.

• fixed: WP 2.2 compatability was broken; restored now. (mainly an excercise to ensure support of custom data source and taxonomy schemas)

Roadmap for the next planned release (ETA 2 weeks):

My plan for the next release is to pursue some plugin compatability issues. Role Scoper seems to conflict with some plugins/widgets that do custom login/logout redirection (MiniMeta widget is an unconfirmed suspect). One symptom reported by 2 or 3 people has been 500 Server Error on Role Scoper activation. Also a report on conflicts with the AMember plugin which will take me some effort to replicate.

WordPress 2.6 introduces Post/Page revisioning.  When you use Role Scoper to customize editing access, it would be nice if a user’s access to revision management followed their regular editing access.

Well, this afternoon I realized that with a little more work I could probably make Role Scoper work that way,  so I did it.  This is the only change from version 0.9.20, but it is a significant feature for those who want to grant or restrict editing access beyond a user’s WordPress blog role.  Make it happen with Role Scoper 0.9.21

Here’s a Role Scoper Update with something for everyone. At least 17 bug fixes and 10 features, most of which pertain to either WordPress 2.6 or editing by Subscribers or Contributors via scoped roles. Also some improvements to front end Category/Page list filtering and even a patch for a WordPress bug involving page permalinks. Soon I’ll trac that and thank by name all of you who helped direct me to these changes. But first I must sleep and then get back to my higher-paying job. Now on to the change log for Role Scoper 0.9.20:

Documentation:

• doc: revised Usage Guide to include How To section, converted to html document

Front End:

• feature: Option to suppress private pages from front end listing even if user can read them

• fixed: In hierarchical page listings, Child Pages were not nested correctly with a hidden ancestor

• fixed: In hierarchical category listings, Subcategories were not nested correctly with a hidden ancestor

WP Bug Patch:

• feature: For %page_name% permalink structure, WP was generating invalid page link with unpublished ancestors. Convert these to page_id permalink

WordPress 2.6 Compatability:

• fixed: WP 2.6 Page Revisions were completely hidden, even for administrator. Restored, but do not yet honor scoped roles or exclusions. Review & Rollback capability follows blog-wide post edit role assignments, including Role Scoper Blog Roles.
• fixed: Hidden Content Teaser didn’t work with WP 2.6

• fixed: In WP 2.6, “header already sent” error message after saving a page

Dashboard Filtering:

• feature: Dashboard now includes private posts/pages in totals

• feature: Dashboard summary sentance now includes totals and link for draft/future/pending pages

• fixed: Dashboard filtering (total posts, Write Post/Page links, etc) was accidentally disabled in the last several versions

• fixed: Existing Dashboard filtering of comment totals became partially dysfunctional in WP 2.6 due to some revised queries

Admin General:

• fixed: Associate role assignment was hidden from non-admin users in Page Edit form

• fixed: When an ancestor term or object was deleted, its propagated roles were also deleted. Now propagated roles are retained and converted to direct-assigned

• change: In Realms settings, default to NOT adjustable realm, hide underlying object type, access type activation UI until Adjustable Realm is activated. (This eliminates some option queries).

Admin Navigation & Access for Elevated users (Subscribers/Contributors with Category/Post/Page-specific Editing Role(s) ):

• feature: Admin notice message if user lacking blog-wide edit_others_pages capability tries to associate a page with Main Page (or disassociate a current child of Main)

• feature: For posts/pages which have ever been published, hide admin divs (Password, Page Parent, etc. as defined in Role Scoper Options) if user doesn’t have any blog-wide editing capabilities (i.e. if they are Subscribers)

• feature: Hide Editing/Association role assignment in post/page edit form if user doesn’t have any blog-wide editing capabilities (i.e. if they are Subscribers)

• fixed: PHP warning at the bottom of Page Edit form on first entry by a Subscriber with Page Edit role

• fixed: Filtering of comments so uneditable comments are not listed at all

• fixed: In WP Admin, Manage Pages linked “Write” to page-new.php even if user can’t edit_pages blog-wide

• fixed: If a user who can’t edit pages accesses page-new.php directly, they got an edit form and could save posts

• fixed: Subscribers with a page/post editing role assignment were not included in the “post author” dropdown

• fixed: Pages/Posts listed though not editable if owned by current user but published and set to exclusive Editors with owner not assigned as an Editor. Corrected to no edit listing or edit form access for “owner” in this situation.

• change: By default, DON’T exclude subscribers from Page/Post Contributor/Editor role assignments (can enforce limitation via Role Scoper Options)

• change: Category selection is NOT hidden from Contributors by default (appears as c-ategorydiv in Role Scoper “Css admin divs” option; change to categorydiv to hide from Contributors)

Usage with ‘WP’ Role Type:

• feature: Category and Post/Page role assignment indicator columns in Manage Posts, Manage Pages when using WP Role Type (but Exclusive indicator col and is_exclusive_rs() template function still only supported with RS role type)

• feature: When using “WP” role type, “Anonymous Reader” role may be set to set as an object role assignment or as an Exclusive Object role (ignoring the default role “assignment” which anonymous users have)

• fixed: When using “WP” role type, Exclusive Section settings for “Anonymous Reader” were not being stored

• fixed: Pages all hidden when using “WP” role type

Performance:

• fixed: LOTS of redundant queries in edit-comments.php for non-admin user

• fixed: Redundant option queries

Security:

• feature: On initialization failure due to already-plugged set_current_user function, default all scoper-defined data sources to zero content visibility (previously just did it for posts, pages)

The Role Scoper Usage Guide has been updated to include a How To section with step-by-step instructions. This currently covers common tasks in the configuration of read access for posts and pages. Future document revisions will cover other topics, including post/page/category-specific editing roles and page parent restriction.

Jennifer Zelazny just informed me of a bug which occurs when Role Scoper is configured to apply WordPress-defined (”WP”) roles in the Term and Object scope.

With Role Type set to “WP”, saving any page as private causes all pages to be are hidden from anonymous non-admin users. I plan to pursue a fix for this Monday. Since Role Scoper Options (WP Admin: Roles > Roles) are set to “RS” role type by default, this bug does not affect most installations.

update: It doesn’t matter what pages have been saved as private.