Open menu Close menu

Securing access to your files and documents with DOCman for WordPress

"NOPE... we are very sorry but you are not authorized to read this"

Very strange intro for a blog post right? well, not quite... today's post is all about permissions and how to configure DOCman to restrict access and actions on your documents and categories, so we are on topic!

Permissions in WordPress exist to some extent, in a very raw state. They are exposed through a role/capability system, that is only made available through an API, for developers to use on their own plugins. The roles and capabilities API works well for simple use cases but it's too limiting for DOCman, for example it doesn't offer support for permission inheritance, nor does it offer support for single user permissions.

To support a multitude of different use-cases, but still keep permissions simple to understand and easy to configure, we had to develop a more advanced permissions API and this is probably the part where DOCman for WordPress shines the most. Built around a home-made permissions system enabling absolute control over categories and document actions, DOCman for WordPress provides an easy but powerful UI for accommodating any workflow you can think of and then some. Let me show you how...

Permissions in DOCman can be set in two different locations:

Global permissions

Global permissions can be set in the DOCman settings view. There you will find a Global permissions tab with user groups selectors for each action on both documents and categories.

The listed groups are of 3 types:

Regular

Regular groups are custom groups that can be created through the wp-admin DOCman groups view. These groups are fully manageable within this view and once created they can be edited (for assigning or removing users from the group) or deleted.

Internal

Internal groups are one to one mappings for WP roles. DOCman keeps these in sync by always making sure that groups are added, updated and/or deleted based on changes that get made on WP roles (including user assignments). In a vanilla WordPress install we have corresponding internal groups for the following WP roles: Author, Editor, Contributor and Subscriber. These groups cannot be managed manually in DOCman, they are only kept in sync with WP roles as mentioned above.

Fixed

Fixed groups are a special type of hardcoded groups for defining special sets of users:

Public: guest users
Registered: logged-in users
Owner: document/category owners
Admis only: site administrators

These groups and the actions involved are the only thing you need to understand to starting doing amazing things with DOCman. Let me give you a quick example:

If you set the Owner group in the document edit action selector, this will effectively allow document owners to edit the documents that they own, It is really that simple!

or

If you set the Author group (this is a WP native role) in the category edit and delete action selectors, Authors will then be able to edit and delete categories in DOCman.

Global permissions affect all categories and documents. They can be thought of as the default permission settings which you can then override on a per category basis.

Admin permissions

The ADMIN section at the bottom allows you to set special actions for accessing the admin interface and the configuration settings.

Manage

Groups added here will be able to access the DOCman admin interface to manage documents and categories. Be aware though, permissions that are set on either globally or on categories will still apply. If a user in a selected group cannot see a given category, they will still not be able to see this category in the admin interface, even if their group is listed under this selector.

Configure

Grants configuration capabilities to groups listed under this selector. Configuration includes having access to DOCman settings and groups views.

In the screenshot presented above we allow users belonging to the Author and Editor internal groups (WP roles) to access the DOCman admin interface as managers. This means that they will only be able to see and manage documents and categories, without having access to the settings and groups views.

Category and document permissions

When editing a given category you can access the Permissions tab just above the description text editor. Here you will find a similar interface as the one available for setting global permissions.

The main difference here is that there is also a users selector under each action. This allows you to add individual users for each action, in addition to groups. This is very handy when you need to grant action permissions to a single user without having to add them to a group/role, nor having to create a new group/role for them:

Let's say we want to grant view access to this category to John and only to him. To do so we set John in the category view user selector and then lock the group permissions for this action by setting Admins only. This effectively tells DOCman that only John and site administrators will be able to see the category in question.

NB. administrators are always allowed to see and do everything they want in DOCman.

When both groups and users are set for a given action, if the current user matches any of the two permission conditions then the action is granted.

In the example presented above we have selected Admins only on the group selector as to effectively override any group selection that might be inherited for this action. This effectively ensures that John is the only one (other than administrators) that can see the category.

Permission Inheritance

Category permissions affect the current category (category actions) and the documents it contains (document actions). These permissions are inherited from either a parent category (if permissions are set on it) and/or from global permissions settings. Inherited permissions can then be overridden on the category itself.

  • Global Permissions
    • Parent Category Permissions
      • Current Category Permissions

Permissions that are inherited show as greyed-out in the corresponding groups/users selectors, they are in a un-editable state. It is possible to override their values by simply clicking on the corresponding Override button located to the right. Likewise, clicking on the Reset button will tell the system to clear current selections and go back to the inherited state.

As mentioned above, document permissions are set in the category containing them by simply setting groups and/or users on Document action selectors. These settings affect all the documents inside the category that you are setting permissions for. An example:

Imagine we have a moderators group that is allowed to both edit and delete documents inside a specific category. This can be easily configured in DOCman just by setting the Moderator group in both document edit and delete group selectors.

If you made it here, then you've just learned everything there is to know about permissions in DOCman and how to use them. We have been tailoring and fine-tuning permissions, over the last two years, based on our experience with previous systems and with Joomla's built-in permissions system. We are really pleased with how this awesome and unique feature works and we hope that you will find it useful and easy to use.

More guides are available in the permissions section of our documentation. These guides will help you get you started with some common workflows that require permissions tuning. Please make sure to take a peek at them to get a glimpse of the true power of the DOCman permissions system.

Get started

Supercharge your WordPress file and document management with DOCman. Go ahead and try DOCman on our demo or download it from our Dashboard. Not yet a member? Get a subscription and start using DOCman today!