PublishPress Permissions: Control User Access for Posts, Pages, Categories, Tags

Yes, PublishPress Permissions makes it possible to control who can view and read content with a specific category attached. In this situation, “read” means “view”. So we’re going to control who can see this content. By default, Categories are only available on WordPress Posts. However, you can add Categories to other post types and so you will be able to use the tutorial for those post types too.

Click here to see how to restrict access to categories.

This guide will show you how to require users to create content in a specific category or parent page. The solution in this guide is a flexible approach for sites with a substantial number of users in different roles. Depending on the needs of your site, the PublishPress plugins also offer other approaches such as this one based on user roles. In this tutorial, we’ll use examples from a university. Our sample site has categories for different university departments. Our aim will be to restrict some users to posting in some categories, or underneath some parent pages. By default, Categories are only available on WordPress Posts. However, you can add Categories to other post types and so you will be able to use the tutorial for those post types too.

Click here to see how to force users to post in a category.

Yes, the PublishPress Permissions plugin allows you to block access to WordPress category and tag archive pages. For example, you can block public access to the “Blog” category on your site. We will use this as an example, but the same approach can work for all taxonomies.

• Install the PublishPress Permissions plugin.
• Go to “Posts”, then “Categories”.
• Click “Edit” for your category.
• Scroll down to the “Permissions: Read Posts in this Category” area.
• Set “Anonymous” to “Blocked”.

This will impact anyone who is anonymous / not logged in to your site and tries to visit a post with the “Blog” category, or “Blog” category archive page. People without access to this category will only see a “Page Not Found” message.

Click here to see how to deny access to blog archives.

The PublishPress Permissions plugin allows you to control permissions for media files on your site.

• Go to Permissions > Settings.
• Click the “Core” tab and make sure the “Media” box is checked.
• Click the “Editing” tab.

Scroll down to the “Media Library” area. Here you’re going to see 4 options you can use to control access to files inside the Media Library:

• List other users’ uploads if attached to a readable post: If this boxed is checked, users can view other people’s media files if they are attached a post they can read.
• List other users’ uploads if attached to an editable post: If this boxed is checked, users can view other people’s media files if they are attached a post they can edit.
• Edit other user’ uploads if attached to an editable post: If this boxed is checked, users can edit other people’s media files if they are attached a post they can edit.
• Other users’ unattached uploads listed by default: If this boxed is checked, users can view other people’s media files.

Click here to see how to control access to the Media Library.

By default, all the files and images you upload to WordPress are publicly available. This is great news for most sites. The goal of most sites is to create popular content that is viewed by as many readers as possible. But this public access is a problem if you run a membership site and DO NOT want everyone reading your content. Yes, you can restrict the privacy of your posts, but people can still view your files if they know the URL. The PublishPress Permissions Pro plugin makes it possible to block direct access to your media files. Even if someone knows the URL, they won’t be able to access your files unless you give them the correct access.

Click here to see how to block people and search engines from accessing file URLs.

By default, WordPress only allows Administrators to create users. If you want to allow other roles to create users then you need to give them at least the promote_users, list_users, edit_users and create_users permissions. However, if you give them those permissions, they can create and edit users in any role. So you could have Editors creating and editing Administrator accounts. That could be a security problem. Fortunately, PublishPress Permissions has a feature called “Limit User Edit by Level”. This prevents anyone from editing a user with a higher level or assigning a role higher than their own.

Click here to see how to restrict user creation.

PublishPress Permissions can be used in addition to a basic role editor / user management plugin. Those plugins are designed to modify existing WordPress permissions. That’s a valuable task, and in many cases will be all the role customization you need. We do recommend PublishPress Capabilities which is a WordPress role editor designed for integration with PublishPress Permissions.

PublishPress Permissions can supercharge your permissions engine and goes much further than the basic role editor plugins. PublishPress Permissions is particularly useful when you want to customize access to a specific post, category or term. PublishPress Permissions adds content-specific editing permissions, custom post status permissions, file access restriction, and other features which are not possible in default WordPress.

Moving forward, we do not plan any major development of the Role Scoper code base. If you encounter issues with Role Scoper and need to migrate to a different solution, PublishPress Permissions provides access to an import script which can automate the majority of your Role Scoper migration. PublishPress Permissions can import the most Role Scoper groups, roles, restrictions and options. Some manual follow up may be required for some configurations.

No, but it can potentially be used in conjunction with an e-commerce or membership plugin. If you have a way to sell users into a WordPress role or BuddyPress group, PublishPress Permissions can grant access based on that membership.

PublishPress Permissions creates and uses the following tables: pp_groups, pp_group_members, ppc_roles, ppc_exceptions, ppc_exception_items. PublishPress Permissions options stored to the WordPress options table have an option name prefixed with “presspermit_”. Due to the potential damage incurred by accidental deletion, no automatic removal is currently available. You can use a SQL editing tool such as phpMyAdmin to drop the tables and delete options with option_name LIKE presspermit_%.

Yes, we use the phrase “publishpress-ppcore-install” to share install links. You will see that text included in the links from other PublishPress plugins.

Please report security bugs found in the source code of the PublishPress Permissions plugin through the Patchstack Vulnerability Disclosure  Program. The Patchstack team will assist you with verification, CVE assignment, and notify the developers of this plugin.