I’ve done some work on a website for a travel agent. She has had her WordPress site up and helping prospective clients access travel information. Her agency has grown and contains more agents. She wanted her WordPress site to have a members only or agent section where she could post helpful information for just her agents. Her site used the Genesis Framework so some of the steps here might be different for vanilla WordPress.
After researching plugins for adding content access control to the existing WordPress capabilities and roles, I narrowed my final approval to the WordPress Access Control plugin by Brandon Warnboldt (http://brandonwamboldt.ca/projects/wordpress-access-control/). It seems this plugin was relatively simple and not bulky like some of the other plugins. This project didn’t need a high degree of specialized roles or capabilities, like fine-grained write permissions on a page or post. (Press Permit would give you much more but looked overly complicated for this project).
First, installed the plugin and didn’t need to change any of the default configuration.
Created a WordPress role called “Agent” to assign to any user that was an agent and would thus get access to the members only section. Currently, there is no way on the dashboard to create a role. While there are plugins to do this, one only needs to run a single command once in the functions.php file of your theme to set it up in the WordPress database. Here’s what I added to my functions.php file:
add_role('agent',__('Agent'), array('read'=>true));
I confirmed the role was added by going to the dashboard | Users and seeing that I can select my new role, Agent. After that, I removed the add_role command.
Now, any page I want only agent access, I only have to edit the page in the dashboard and select it to be Member’s Only and then select the Agent checkbox. By the way, administrators never lose their access to these documents.
A page selected as Member’s Only will, by default, not be listed in any search results, but this is configurable. If a person knows the URL to the page, it will come back as a 404 page not found. So this works well so far.
Next, I needed an “Agent Logon” option in the menu. For this in the dashboard | Appearance | Menus, I added Link menu item with the url: http://thedomainname.com/wp-login.php. This isn’t the “best” way since you’ll have to change it if you change your domain name…but how often does that happen? You also can’t redirect them to a different URL….Or can you? Actually, I found the following code worked wonders for this. I altered it to only change users with the agent role and put in the page slug of where they should be directed. (I think I found this code on WordPress.org.. Apologies to the author if not..I wish Firefox history had better search capabilities)
/**
* Redirect user after successful login.
*
* @param string $redirect_to URL to redirect to.
* @param string $request URL the user is coming from.
* @param object $user Logged user's data.
* @return string
*/
function my_login_redirect( $redirect_to, $request, $user ) {
//is there a user to check?
global $user;
if ( isset( $user->roles ) && is_array( $user->roles ) ) {
//check for admins
if ( in_array( 'agent', $user->roles ) ) {
// redirect them to the default place
return get_permalink(get_page_by_path( 'agent_home'));
} else {
return home_url();
}
} else {
return $redirect_to;
}
}
add_filter( 'login_redirect', 'my_login_redirect', 10, 3 );
Next I created a sidebar using Genesis Simple Sidebars called Agent Sidebar. On the Agent Home page I made this its primary Sidebar. In Appearances | Menus I created a new menu called…wait for it… Agent menu. I then put a custom menu widget pointing to this menu in the Agent Sidebar. This menu contains links to other Agent only pages.
What about Logging out?
Not as simple as adding a url link like the login process. I tried but due to a nonce issue, they would logout but get a weird message. So I did the following to add a logout link in the beginning of the Agent menu and have them redirected to the public home page of the site: (altered code from: http://xparkmedia.com/blog/add-login-logout-link-menu/)
/*Adding logout menu to Agent menu */
//Add login/logout link to naviagation menu
function add_login_out_item_to_menu( $items, $args ){
//change theme location with your them location name
if( ! is_user_logged_in() || ! $args->menu == 'Agent Helpful Links' )
return $items;
$redirect = get_home_url();
$link = '' . __( 'Logout' ) . '';
return $items = ''. $link . ' ' . $items;
}
add_filter( 'wp_nav_menu_items', 'add_login_out_item_to_menu', 50, 2 );
The WordPress Admin Bar
Agents did not need to see the WordPress dashboard and get confused by the WordPress admin bar on top of the browser, even if they couldn’t see or do much with it. So I added the following to the functions.php file so that only administrators see the bar:
if ( ! current_user_can( 'manage_options' ) ) {
show_admin_bar( false );
}
Security Caveat!!
While this WordPress Access Control plugin does a fine job protecting posts and pages, it does not protect your media library. (I believe the Press Permit Pro plugin does). So if one were to upload a PDF document containing agent information to your library, if someone knows the full URL to the document, they can download it. If you use the free version of dropbox, it is the similar security. If someone knows the full URL to one of your dropbox documents, they can download it. It’s still hard to get to, though, because the full URL is something like dropbox.com/aaadDBDD/EDLdde332d. This is not something someone could easily guess. In WordPress before you upload a document, you could give it a long obscure name to make the URL harder to guess. But I wonder if someone could access by using the url:
http://yourdomainname.com/?attachment_id=###, where ### is the document id. The document id is automatically assigned by WordPress.
I told my client this and she plans to put most of her information in the page or post itself.