Introducing Role Scoper for WordPress

Intro to WordPress Roles · Role Scoper Description · Acknowledgements · Download · Usage Guide · News

WordPress: Capabilities, Roles and Wish Lists

Whenever you access a WordPress site, the software considers what you are trying to do: read a post, edit a page, manage categories. Most sites allow you to read posts and pages without logging in. Any other operation you may request is permitted only if your user definition (as identified by login name and password) includes a corresponding capability.

For administrative convenience, WordPress bundles capabilities into collections called roles. By default, these roles are:

Subscriber:

  • read published posts and pages

Contributor:

  • all Subscriber capabilities
  • contribute a post (for review by editor), and edit it before publication

Author:

  • all Contributor capabilities
  • contribute a post, publish/unpublish/edit it, and moderate its comments

Editor:

  • all Author capabilities
  • contribute/publish/unpublish/edit any user’s post
  • contribute or edit any page
  • manage all categories and moderate any comment
  • read posts and pages which are marked “private”

Administrator:

  • all Editor capabilities
  • define users and assign them roles
  • configure all site options

This role configuration works well for WordPress’ conventional application as a single-user blog. But what if you want someone to contribute their own pages without editing other’s post or pages? Or maybe some users should edit other’s posts without being able to edit pages at all. The current solution is to use an existing plugin like Role Manager to either redefine “Editor”, or create a cloned “Special Editor” role, moving existing Editors to it as needed. As plugins come on board with additional capabilities, the role permutations increase. This one-role-per-user paradigm makes for simple source code and queries, but as a site shifts from single-user blog to multi-user CMS, role creation / editing is inconvenient for both developer and site administrator.

If you manage to successfully define and assign custom roles for your WordPress CMS, soon you will wonder how to grant reading or editing capabilities for multiple subsets of posts or pages. On your WordPress-powered high school news site, how can you enable someone to post only to the “Sports” category? On your corporate intranet site, can you conveniently enable members of HR to edit existing and future personnel policy pages (but not the engineering best practices pages)? Can you enable someone to create a new page, but specify a subset of “parent” pages it can be linked to? Can all these content-specific roles be administered on a sectional basis, or must someone edit/administer the whole site or nothing?

By default, WordPress doesn’t have a good answer to those CMS dreams, regardless of any custom roles you may define.

Some past and current WordPress plugins (Limit Categories, Category Visibility, Post Levels, Restrict Pages, Disclose Secret, WP-Group-Restriction) have dealt with pieces of this permissions puzzle. Using them, I appreciated a multitude of useful features. Yet as I tried and tried again to combine and configure this plugin assortment to meet all my WordPress CMS aspirations, there was always a missing piece.

Enter Role Scoper

Role Scoper is a comprehensive enrichment for capability enforcement and administration in WordPress. Assign reading, editing or administration roles to users or groups on a page-specific, category-specific or other content-specific basis.

Role Selection Boxes in Edit Post / Page Form (note: for basic usage, this is all you need to deal with):

screen shot: Role Assignment Tabs in Edit Post

screen shot: Role Assignment Tabs in Edit Page

Optionally, define User Groups for subsequent Role Assignment:

screen shot: Edit User Group

Each User’s WordPress role is honored by default, but can be:

  • supplemented with content-specific role assignments
  • disregarded if the role is restricted for the requested content
Scoped Roles in User Profile

screen shot: Scoped Roles in User Profile

Set Category Restrictions to block reading/editing access for users who have a specified WordPress role but no corresponding Role Scoper role (note, post/page restrictions also available):

Assign Category Roles to expand reading or editing access:

^ click to examine Category Roles User Interface (sample html)

Scoped role restrictions and assignments are reflected in every aspect of the WordPress interface, from front end content and navigation to administrative post and comment totals.

Additional features:

  • Propagation of Roles or Restrictions to subcategories / child pages
  • Default Restrictions, Default Roles and Default Groups automate admin tasks
  • Hidden Content Teaser: choose whether unreadable front-end content is hidden or replaced with a customizable teaser
  • Role Administration Aides: Post/Page role assignment UI indicates where users have a role implicitly via WP role, category role or group membership.  (Made possible by a new role storage schema and users_who_can function).
  • Pending Revisions enable Contributors to edit a published post/page, with the change held for review by an administrator update: Pending Revisions are now handled by the Revisionary plugin.
  • Internal File Cache limits Role Scoper’s database query overhead
  • Attachment Filtering prevents direct file access to your uploaded images/documents if the user can’t view the containing post/page
  • Plugin API allows other plugins to define their own data sources, taxonomies, capabilities and content-specific roles
  • User Customization of Role Definitions (add or remove applicable capabilities for each content-specific role)

Although Role Scoper’s default configuration is ideal for most sites, its functionality and sphere of influence is highly customizable to match your usage.

^ click to examine Role Scoper Options User Interface (sample html)

Due to its abstract data model and API, Role Scoper can be extended to bring content-specific access control to other plugins which define and check WordPress capabilities.  The resulting plugin-specific roles will supplement any other assigned roles; there is no need to merge all capabilities into an all-inclusive role.

Role Scoper has been a stable release since March 2009, with over 200,000 downloads. This plugin is open source software released under the General Public License (GPL). Due to limitations, obligations and non-technical aspirations common to most human beings, I will probably never again donate unpaid plugin development on the scale Role Scoper has required. However, I do plan to provide some free support, correct bugs which emerge and revise the plugin for future WordPress versions. If it adds value to your website or saves you time and money, you can express appreciation in several ways: