Introducing Role Scoper for WordPress
Intro to WordPress Roles · Role Scoper Description · Acknowledgements · Download · Usage Guide · News
WordPress: Capabilities, Roles and Wish Lists
Whenever you access a WordPress site, the software considers what you are trying to do: read a post, edit a page, manage categories. Most sites allow you to read posts and pages without logging in. Any other operation you may request is permitted only if your user definition (as identified by login name and password) includes a corresponding capability.
For administrative convenience, WordPress bundles capabilities into collections called roles. By default, these roles are:
Subscriber:
- read published posts and pages
Contributor:
- all Subscriber capabilities
- contribute a post (for review by editor), and edit it before publication
Author:
- all Contributor capabilities
- contribute a post, publish/unpublish/edit it, and moderate its comments
Editor:
- all Author capabilities
- contribute/publish/unpublish/edit any user’s post
- contribute or edit any page
- manage all categories and moderate any comment
- read posts and pages which are marked “private”
Administrator:
- all Editor capabilities
- define users and assign them roles
- configure all site options
This role configuration works well for WordPress’ conventional application as a single-user blog. But what if you want someone to contribute their own pages without editing other’s post or pages? Or maybe some users should edit other’s posts without being able to edit pages at all. The current solution is to use an existing plugin like Role Manager to either redefine “Editor”, or create a cloned “Special Editor” role, moving existing Editors to it as needed. As plugins come on board with additional capabilities, the role permutations increase. This one-role-per-user paradigm makes for simple source code and queries, but as a site shifts from single-user blog to multi-user CMS, role creation / editing is inconvenient for both developer and site administrator.
If you manage to successfully define and assign custom roles for your WordPress CMS, soon you will wonder how to grant reading or editing capabilities for multiple subsets of posts or pages. On your WordPress-powered high school news site, how can you enable someone to post only to the “Sports” category? On your corporate intranet site, can you conveniently enable members of HR to edit existing and future personnel policy pages (but not the engineering best practices pages)? Can you enable someone to create a new page, but specify a subset of “parent” pages it can be linked to? Can all these content-specific roles be administered on a sectional basis, or must someone edit/administer the whole site or nothing?
By default, WordPress doesn’t have a good answer to those CMS dreams, regardless of any custom roles you may define.
Some past and current WordPress plugins (Limit Categories, Category Visibility, Post Levels, Restrict Pages, Disclose Secret, WP-Group-Restriction) have dealt with pieces of this permissions puzzle. Using them, I appreciated a multitude of useful features. Yet as I tried and tried again to combine and configure this plugin assortment to meet all my WordPress CMS aspirations, there was always a missing piece.
Enter Role Scoper
Role Scoper is a comprehensive enrichment for capability enforcement and administration in WordPress. Assign reading, editing or administration roles to users or groups on a page-specific, category-specific or other content-specific basis.
Role Selection Boxes in Edit Post / Page Form (note: for basic usage, this is all you need to deal with):
screen shot: Role Assignment Tabs in Edit Post
screen shot: Role Assignment Tabs in Edit Page
Optionally, define User Groups for subsequent Role Assignment:
screen shot: Edit User Group
Each User’s WordPress role is honored by default, but can be:
- supplemented with content-specific role assignments
- disregarded if the role is restricted for the requested content
screen shot: Scoped Roles in User Profile
Set Category Restrictions to block reading/editing access for users who have a specified WordPress role but no corresponding Role Scoper role (note, post/page restrictions also available):
Assign Category Roles to expand reading or editing access:
^ click to examine Category Roles User Interface (sample html)
Scoped role restrictions and assignments are reflected in every aspect of the WordPress interface, from front end content and navigation to administrative post and comment totals.
Additional features:
- Propagation of Roles or Restrictions to subcategories / child pages
- Default Restrictions, Default Roles and Default Groups automate admin tasks
- Hidden Content Teaser: choose whether unreadable front-end content is hidden or replaced with a customizable teaser
- Role Administration Aides: Post/Page role assignment UI indicates where users have a role implicitly via WP role, category role or group membership. (Made possible by a new role storage schema and users_who_can function).
- Pending Revisions enable Contributors to edit a published post/page, with the change held for review by an administrator update: Pending Revisions are now handled by the Revisionary plugin.
- Internal File Cache limits Role Scoper’s database query overhead
- Attachment Filtering prevents direct file access to your uploaded images/documents if the user can’t view the containing post/page
- Plugin API allows other plugins to define their own data sources, taxonomies, capabilities and content-specific roles
- User Customization of Role Definitions (add or remove applicable capabilities for each content-specific role)
Although Role Scoper’s default configuration is ideal for most sites, its functionality and sphere of influence is highly customizable to match your usage.
^ click to examine Role Scoper Options User Interface (sample html)
Due to its abstract data model and API, Role Scoper can be extended to bring content-specific access control to other plugins which define and check WordPress capabilities. The resulting plugin-specific roles will supplement any other assigned roles; there is no need to merge all capabilities into an all-inclusive role.
Role Scoper has been a stable release since March 2009, with over 200,000 downloads. This plugin is open source software released under the General Public License (GPL). Due to limitations, obligations and non-technical aspirations common to most human beings, I will probably never again donate unpaid plugin development on the scale Role Scoper has required. However, I do plan to provide some free support, correct bugs which emerge and revise the plugin for future WordPress versions. If it adds value to your website or saves you time and money, you can express appreciation in several ways:
- Download Role Scoper and try it out on your WP 3.0+ site. (legacy version for WP 2.7-2.9 also available).
- Add your own vote to Role Scoper’s plugin rating
- Submit technical feedback, including improvement requests.
- Submit a case study, explaining how Role Scoper helps you do something excellent and praiseworthy.
- If the plugin has seriously broadened your CMS horizons,
- If you are a seasoned web developer, grant me your professional opinion on how this work stacks up and how I might best make a sustainable career of it.
- Hire or refer my services to develop or enhance your site - quality care at reasonable rates.
Posted: May 15th, 2008 under News, Role Scoper, WordPress Plugins.
Comments: 429
429 Responses to “Introducing Role Scoper for WordPress”
Pages: « 11 10 9 8 7 6 5 [4] 3 2 1 » Show All
Time: March 27, 2009, 3:25 pm
Please disregard last post overlooked the blatantly obvious text above this comment form, sorry
Time: March 27, 2009, 3:24 pm
First thank you for creating such a wonderful plugin, I have used it to great effect on a couple of blogs. The first problem that I have come up with on a new blog that me and my associates are working on is a multi language blog using the qtranslate http://www.qianqin.de/qtranslate/ plugin. This plugin allows you to have many languages on one installation. Now the bug I am having with your plugin is that when your plugin is turned on, it stops all of the categories being translated, they stick to the default language, everything else works pages, links content etc just not categories… any ideas… so when your plugin is activated wp_list_categories() does not translate…
Here is how this plugin functions http://www.qianqin.de/qtranslate/forum/viewtopic.php?f=3&t=294 http://www.qianqin.de/qtranslate/forum/viewtopic.php?f=3&t=9
So somehow your plugin is messing with the internal wp_list_categories()
Any help greatly appreciated, aswell as your plugin being the only one that really enables a true cms user base system and the qtranslate plugin is really the only one that works for multilanguage blogs, it would be really great and open your user base even larger if the two could work in harmony.
Thanks George
Time: March 24, 2009, 12:58 pm
Eligio, Are you talking about adding tags via the Edit Post form, or manually via the "Add New" menu?
Time: March 23, 2009, 4:21 pm
I'm using the plugin and I setup the Author to post/edit, but how to I enable the author to add Tags? I can only add tags as admin.
Time: March 18, 2009, 1:08 pm
[...] Beiträgen gar nicht mehr. Auf der Suche nach einer Alternative stieß ich auf das Plugin Role-Scoper, welches nach einigen Feature-Requests meinerseits nun problemlos eine Authentifizierung im [...]
Time: March 11, 2009, 5:16 pm
I see from a support forum post that Andy figured it out. Thanks for the reminder to revise the documentation.
Time: March 10, 2009, 10:14 pm
This looks like a good plugin. I am a little confused on how to use it though. It seems extremely complicated.
What I would like to do is create a user who can login to the admin panel but only edit a certain pre-created page. The person should be able to create subpage for that page. But that is all.
I have no idea how to do that after looking through the usage guide link. By chance could anyone give me some very simple instructions? using WP 2.7.1
Time: March 4, 2009, 9:31 am
[...] des WordPress-CMS und ihre Berechtigungen vorgestellt und gezeigt, wie man sie mit dem Rolescoper-Plugin verwaltet. Wer immer schon mal Nutzerprofile mit eingeschränkten Freigaben für [...]
Time: March 1, 2009, 2:50 am
[...] causing this. well, it turns out that the old main page was doing 298 sql queries. after disabling role scoper, this jumped down to 34, with loading times more or less the same. but then, i disabled the tag [...]
Time: February 25, 2009, 5:14 pm
Kevin,
Thanks, that did the trick. I did not know about $current_user. That object is full of good stuff.
I guess the confusion came from how I was approaching the modifications I needed. I have 4 roles that need custom names and capabilities and I started by trying to modify the RS roles within defaults_rs.php. This was the wrong approach for me.
I ended up using Groups to take care of the custom names, then I set the capabilities for Groups (instead of users/roles). I set new user WP roles to Subscriber, and add Groups to each user from there.
Nice plugin.
Time: February 25, 2009, 12:01 am
Patrick,
Do you need to find out if the user can read posts in the category, create/edit posts in the category, or edit the category itself?
If all you want is to know whether the user has a certain category role assigned, you can do this: global $current_user;
if ( isset($current_user->assigned_term_roles['category'][rs_post_reader'])
&& in_array($cat_id, $current_user->assigned_term_roles['category'][rs_post_reader']) ) {
// do stuff
}
I would also be interested in hearing what your main points of confusion were, and what would have made the orientation easier.
Time: February 23, 2009, 9:18 pm
Great plug-in. Took me a few hours to figure out how I needed it to work, and then it worked great.
One question: Are there any public functions that I can use in the WP Admin screens to check capabilities? I'm trying to hide an option if a category is not allowed for the role that is currently logged in. Thanks!
-Patrick
Time: February 18, 2009, 4:51 pm
Mark,
Thanks for taking the time to express your appreciation.
As for email notification, that is well outside Role Scoper's intended functionality. I would check out the existing e-mail notification plugins and solicit those developers for additional features as needed.
Time: February 17, 2009, 9:20 pm
This is the most amazing plugin, really well done! I have spent months testing others out there and this does exactely what I need and more, I rarely take the time to post comments but this deserved it, amazing! The only thing I would ask, is there any way to setup email notifications, so if someone edits a post the admin is notified? and if admin edits a post the user is notified?
Thanks again
Time: February 16, 2009, 4:47 pm
Randy,
Thanks for alerting me to this.
It's actually due to my misspelling of a variable name in the line you edited. $term_by_id should instead by $terms_by_id. This should not affect many installations, as the involved code block is a leftover from WP 2.3 support and serves no purpose now.
Time: February 16, 2009, 1:53 pm
Right after activating your plugin, I received an error when viewing my site:
> Warning: array_diff_key() [function.array-diff-key]: Argument #1 is not an array in /home/ . . . /wp-content/plugins/role-scoper/hardway/hardway_rs.php on line 296
I searched the web to find that this is difference between PHP 4 and PHP 5 that someone had figured out how to get around: [http://drupal.org/node/36408#comment-354216]. I made this change at line 296, and the error went away.
Thanks, ~randy
Time: February 11, 2009, 10:56 pm
Ben, I've published an updated version of Role Scoper which corrects the bookmarks listing bug and several others.
Time: February 11, 2009, 12:55 pm
[...] I've found which allows for some very fine customisation of user roles and permissions is Role Scoper. You'll find it very hard to come across any other plugin that offers the level of support [...]
Time: February 8, 2009, 10:46 am
Hey, I'm using your plugin for an educational project. I'm having issues getting any links to display using wp_list_bookmarks() when Role Scoper is activated. What is the work around for that?
Time: February 7, 2009, 8:41 pm
Can I ask you if you are aware of the fact that events-calendar posts seems to ignore the restrictions set on the roles. For any user/role of the website they are visible even though they should not. Any though on this regard.
There is a discussion about it on wordpress. Here is the link: http://wordpress.org/support/topic/237970.
Massimo.
Time: February 3, 2009, 2:43 pm
Rafael,
Please see my commentary on the topic of memory usage here in the support forum.
Time: February 1, 2009, 9:39 am
Thank you very much for your efforts, i will wait for the next RC then 
Time: January 31, 2009, 10:07 am
Hello,
Your plug in looks promising, but I'm getting a fatal error when I install it.
After I installed your plug in, whenever I try to edit this page ( ), I get this error:
"Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 266375 bytes) in /home2/tpsevnin/public_html/wp-includes/formatting.php on line 79″
right in the Wordpress post edit screen.
I've deactivated your plug in so you can see the page.
Rafa
Time: January 29, 2009, 7:16 pm
Yes, I have additional RSS filtering options under development for the next release candidate.
Time: January 28, 2009, 5:55 am
Any chance to protect RSS-Feeds like Disclose-Secret does?
Time: January 24, 2009, 12:13 pm
That bug has already been fixed. Please try the current release candidate or the development snapshot
Time: January 24, 2009, 10:17 am
Role Scoper - V1.0.0 RC1 - Roles > Posts > yields: Fatal error: Unsupported operand types in /home/stmichaels/public_html/wp-content/plugins/role-scoper/admin/admin-bulk_rs.php on line 647
Time: January 23, 2009, 4:46 pm
Okay, I fixed the tag cloud sizing problem in the updated Development Snapshot
I don't see any problem with the tag links, though. What WP version and permalink settings are you using?
The only caveat I'm aware of now is that the sizing will be based on total posts with the tag - including posts the user can't read. At this point, filtering the tag sizing seems more trouble that it's worth. If it proves hugely important to folks, I will reconsider.
If you have any other feature requests, please post them in the Support Forum.
Time: January 23, 2009, 2:06 pm
Again thanks alot kevin, however when i installed the development snapshot plugin the new tags did show, however the tag cloud isnt working properly and picking up posts, they all link to nothing and are the same size 
im going back to the older role scoper version and keep trying to find a workaround
Time: January 22, 2009, 9:02 pm
I have added proper tag filtering to the updated Role Scoper Development Snapshot version.
You should undo the wp_tag_cloud hack in widgets.php file. Change it back to:
wp_tag_cloud();
Time: January 22, 2009, 3:19 pm
Kevin your support is really appreciated, thankyou!
recent posts works perfectly. it shows the recent private post for logged in users with private post permission, and disappears if you are not logged in.
however the tag cloud does now show private post tags, but it shows them to people who are not logged in as well hmmm
Time: January 22, 2009, 1:03 am
mayan,
For the time being, you will need to perform two hacks to the WordPress file wp-includes/widgets.php:
change:
$r = new WP_Query(array('showposts' => $number, 'what_to_show' => 'posts', 'nopaging' => 0, 'post_status' => 'publish', 'caller_get_posts' => 1));
to:
global $scoper;
$status = ( empty($scoper) ) ? 'publish' : '';
$r = new WP_Query(array('showposts' => $number, 'what_to_show' => 'posts', 'nopaging' => 0, 'post_status' => $status, 'caller_get_posts' => 1));
change:
wp_tag_cloud();
to:
wp_tag_cloud( array('hide_empty' => false) );
I'll put in a request with the WP team to make those functions more filterable.
Time: January 21, 2009, 9:22 pm
hey, using your plugin so that one of the users ive created can read private posts too. got that all set up fine. they can see the private posts and now search for them in the search bar.
however the private posts arent coming up in the "recent posts" section, and the tags assigned to the private posts arent in my tag cloud.. any way of getting that to work?
Time: January 13, 2009, 2:25 pm
How i can do, when a Author, post something to, wait for my rewiev ?
Time: January 9, 2009, 5:27 pm
Huge thanks!
Time: January 9, 2009, 5:08 pm
There's currently no way to hide the role assignment boxes from authors on a new post. I'd like to think on this more before implementing an option to do so. But you can put the following code in plugins/role-scoper/admin/filters-admin-ui_rs.php, in function add_meta_boxes - at the top of the function, just after the opening curly brace:
global $current_user;
if ( empty($current_user->blog_roles['rs_post_editor']) ) {
remove_action('do_meta_boxes', array(&$this, 'act_tweak_metaboxes') );
return;
}
This will be your private hack, and will need to be reinstated each time you upgrade Role Scoper. However, I'm leaving that code commented out in the main source to make it easy for you.
Time: January 9, 2009, 4:26 pm
Kevin–thanks for your responses. I still need some help decluttering the Author area as Authors won't need the role assignment tabs. I had to elevate users to Author status because it's important that they can change the date of publication (we post a lot of links to past news articles and order them by their original publication date).
Therefore I need to keep the Author status, but I'm hoping to remove those role assignment tabs.
Time: January 9, 2009, 4:05 pm
With the current Role Scoper version (1.0.0-rc8), the Edit Post/Page form does not display role assignment tabs to Contributors.
Thanks for the appreciation.
Time: January 9, 2009, 3:50 pm
…Nevermind. I ended up shrinking the text size of my category checklist so I could see everything.
I am now trying to turn off the object roles boxes that show up on the Add new post screen. The whole point of limiting the categories that appear for Authors was to declutter that area, and so having these boxes (which won't be used by contributors) defeats the purpose.
Great plugin altogether though. Nice work!
Pages: « 11 10 9 8 7 6 5 [4] 3 2 1 » Show All
Time: April 9, 2009, 12:45 pm
I have a question on the plugin. I need the ability to give a specific user (or maybe group) access to edit a specific page. So for instance, they have a page dedicated to them and only they (as well as admins) can edit that page. They can't create anything new.
Possible?