s2Member FREE is a very functional system to control content-based user access according to its own concept of Levels or membership tiers. It's intended however to be used as a commercial tool to charge for membership (integrates with PayPal) and has many features that don't really matter to me at the moment but others may really love it. Especially because its extremely well documented, its easy to setup, and it has enterprise-level support.
Unfortunately to use it for access control means that everyone needs to register with the site to even read a post... but I'm running a public website!
There's also a "PRO" (paid) version with more flexibility and features.
Note that any changes made to users and roles using this plugin will remain even after uninstalling it.
At least s2Member helped me realize there's various types of content-based access management. What I'm interested in and the reason for this blog post is to limit some of my existing roles (the back-end users) in their capabilities depending on the content (again, for example by category)..
AAM BASIC
Advanced Access Manager BASIC has an interesting interface in a new "Access Manager" menu which lets us create/edit/delete roles (and assign them to capabilities). We can also establish special restrictions for any existing role such as menu item visibility and ...drumroll... content based! Yes, there's a "posts & taxonomies" tab in there where you can choose posts (by categories which display as folders), pages, and media (and even media folders, in case you too also using Media Library Assistant). Sadly, while restricting categories does make them and child inaccessible to the role (although the category count is wrong in the list), it doesn't apply to the actual posts in them! -- I'm not going through 2000+ posts one by one.
I'm not linking to this one because after further tests I decided it doesn't work. Assigning taxonomy based restrictions to a role yields unexpected restrictions in others... Another annoyance with it is that some quite useful features (such as restrictions for posts inside categores...) are locked unless you buy AAM Premium... It would also be nice that media attached to restricted posts was automatically restricted. On the other hand, AAM can create new capabilities, and it's the only plugin so far that can be setup (with ConfigPress) to delete capabilities (any, not only the custom ones -- which can be pretty dangerous for your WP). Fortunately, deactivating the plugin removes all special restrictions.
Restrict Categories
Restrict Categories adds itself as an
item under the Settings menu. Under its Roles (1st) tab, it allows to
select the categories one-by-one or all-at-once (
unfortunately no recursive selection) that can be accessed by that role.
It doesn't work if you are selecting more than 989 categories :( please fix this... I'm opening a
support topic with them.
Role Scoper
We're down to
Role Scoper. This plugin is complicated, not recommended for beginners... As it name suggests, the plugin allows to restrict role capabilities to work only on certain content -- by-category included, and it works recursively (option must be chosen). Again,
this one is confusing because it bring into play new abstract, fixed RS roles such as "Page Editor" or "Content Manager" that map to certain (undisclosed) wp capabilities and are described in the "WP Role Definitions" tab of RS Options. To complicate things further you can also activate RS user groups which in turn can be given RS roles for site-wide permissions... Anyway, this is what I did to restricted managing some categories to only some of the back-end users:
- I first created a new role similar to Editor with another plugin (as of now URE being the best one just for that);
- I assigned certain users to the new role;
- (optional) Having a public website: Under the Roles menu, Options (1st) sub-menu, then Realm tab: in the Access Type section I un-selected the "Viewing content (front-end)" check-box;
- (optional) Selected all the "sync WP [Role] to these selections" check-boxes in the "RS Role Definitions" tab of RS Options -- not sure what this does though;
- Enabled groups in RS Options, Features (1st) tab;
- In the Restriction menu, Categories (1st) item: under 1. I chose "Restrict selected roles" and "for categories and sub-categories", under 2. I went to the category of interest (a parent) and selected all the RS Roles except "Post Reader", and clicked the Update button on 3; (Probably because of my thousands of child categories, the page returned was completely blank but I went back to the same category restrictions page and confirmed the changes were applied.)
- In the Roles menu, Categories item: under 1. I chose "Assign for selected and sub-categories", under 2. I checked the [role] in question (as a group), under 3. I went down to the same parent category as before and checked the same RS Roles.
Understanding exactly what the steps above do is not trivial, feel free to investigate. In the end this whole thing didn't work for me exactly as I wanted it to. The
one problem I found is speed. It's very slow when filtering access to many categories and the posts in them, so the lists can take a looong time to load... Happily as with
AAM, deactivating the plugin gets things back to normal.
As a funny note, Role Scoper was developed within a religious project you can learn more in its About page. It also has a larger/newer version (it costs) called Press Permit.
---
So there it is. Nothing seems to work perfectly, or maybe I have to redesign my project (too many categories). Maybe restricting admin access based on content is not the best thing to do with WordPress, It was not designed that way (which is why we shouldn't call WP a CMS). Then again that's probably why they came up with the multi-site WP Network, so consider that option instead if you can still re-start your project or migrate your content.