Whenever you access a WordPress site, the software considers what you are trying to do: read a post, edit a page, manage categories. Most sites allow you to read posts and pages without logging in. Any other operation you may request is permitted only if your user definition (as identified by login name and password) includes a corresponding capability.
For administrative convenience, WordPress bundles capabilities into collections called roles. By default, these roles are:
- read published posts and pages
- all Subscriber capabilities
- contribute a post (for review by editor), and edit it before publication
- all Contributor capabilities
- contribute a post, publish/unpublish/edit it, and moderate its comments
- all Author capabilities
- contribute/publish/unpublish/edit any user’s post
- contribute or edit any page
- manage all categories and moderate any comment
- read posts and pages which are marked “private”
- all Editor capabilities
- define users and assign them roles
- configure all site options
This role configuration works well for WordPress’ conventional application as a single-user blog. But what if you want someone to contribute their own pages without editing other’s post or pages? Or maybe some users should edit other’s posts without being able to edit pages at all. The current solution is to use an existing plugin like Role Manager to either redefine “Editor”, or create a cloned “Special Editor” role, moving existing Editors to it as needed. As plugins come on board with additional capabilities, the role permutations increase. This one-role-per-user paradigm makes for simple source code and queries, but as a site shifts from single-user blog to multi-user CMS, role creation / editing is inconvenient for both developer and site administrator.
If you manage to successfully define and assign custom roles for your WordPress CMS, soon you will wonder how to grant reading or editing capabilities for multiple subsets of posts or pages. On your WordPress-powered high school news site, how can you enable someone to post only to the “Sports” category? On your corporate intranet site, can you conveniently enable members of HR to edit existing and future personnel policy pages (but not the engineering best practices pages)? Can you enable someone to create a new page, but specify a subset of “parent” pages it can be linked to? Can all these content-specific roles be administered on a sectional basis, or must someone edit/administer the whole site or nothing?
By default, WordPress doesn’t have a good answer to those CMS dreams, regardless of any custom roles you may define.
Some past and current WordPress plugins (Limit Categories, Category Visibility, Post Levels, Restrict Pages, Disclose Secret, WP-Group-Restriction) have dealt with pieces of this permissions puzzle. Using them, I appreciated a multitude of useful features. Yet as I tried and tried again to combine and configure this plugin assortment to meet all my WordPress CMS aspirations, there was always a missing piece.
Enter Role Scoper
Role Scoper is a comprehensive enrichment for capability enforcement and administration in WordPress. Assign reading, editing or administration roles to users or groups on a page-specific, category-specific or other content-specific basis.
Role Selection Boxes in Edit Post / Page Form (note: for basic usage, this is all you need to deal with):
Optionally, define User Groups for subsequent Role Assignment:
screen shot: Edit User Group
Each User’s WordPress role is honored by default, but can be:
- supplemented with content-specific role assignments
- disregarded if the role is restricted for the requested content
Set Category Restrictions to block reading/editing access for users who have a specified WordPress role but no corresponding Role Scoper role (note, post/page restrictions also available):
Assign Category Roles to expand reading or editing access:
Scoped role restrictions and assignments are reflected in every aspect of the WordPress interface, from front end content and navigation to administrative post and comment totals.
- Propagation of Roles or Restrictions to subcategories / child pages
- Default Restrictions, Default Roles and Default Groups automate admin tasks
- Hidden Content Teaser: choose whether unreadable front-end content is hidden or replaced with a customizable teaser
- Role Administration Aides: Post/Page role assignment UI indicates where users have a role implicitly via WP role, category role or group membership. (Made possible by a new role storage schema and users_who_can function).
- Pending Revisions enable Contributors to edit a published post/page, with the change held for review by an administrator update: Pending Revisions are now handled by the Revisionary plugin.
- Internal File Cache limits Role Scoper’s database query overhead
- Attachment Filtering prevents direct file access to your uploaded images/documents if the user can’t view the containing post/page
- Plugin API allows other plugins to define their own data sources, taxonomies, capabilities and content-specific roles
- User Customization of Role Definitions (add or remove applicable capabilities for each content-specific role)
Although Role Scoper’s default configuration is ideal for most sites, its functionality and sphere of influence is highly customizable to match your usage.
Due to its abstract data model and API, Role Scoper can be extended to bring content-specific access control to other plugins which define and check WordPress capabilities. The resulting plugin-specific roles will supplement any other assigned roles; there is no need to merge all capabilities into an all-inclusive role.
Role Scoper has been a stable release since March 2009, with over 200,000 downloads. This plugin is open source software released under the General Public License (GPL). Due to limitations, obligations and non-technical aspirations common to most human beings, I will probably never again donate unpaid plugin development on the scale Role Scoper has required. However, I do plan to provide some free support, correct bugs which emerge and revise the plugin for future WordPress versions. If it adds value to your website or saves you time and money, you can express appreciation in several ways:
- Download Role Scoper and try it out on your WP 3.0+ site. (legacy version for WP 2.7-2.9 also available).
- Add your own vote to Role Scoper’s plugin rating
- Submit technical feedback, including improvement requests.
- Submit a case study, explaining how Role Scoper helps you do something excellent and praiseworthy.
- If the plugin has seriously broadened your CMS horizons,
- If you are a seasoned web developer, grant me your professional opinion on how this work stacks up and how I might best make a sustainable career of it.
- Hire or refer my services to develop or enhance your site – quality care at reasonable rates.