Permissions Module for WordPress
One of our large clients chose WordPress to power their new intranet due to its strength in publishing and extensibility through a large plugin base. However, in order for WordPress to work in their corporate settings we had to address the topic of permissions.
Requirements
Users should not have to log in to intranet. Instead, WordPress should inherit their authentication from their MS Windows login which is based on Active Directory.
The site should replace vast majority of email communication and instead use project-based communication powered by BuddyPress.
All content creators (100+) should have the ability to indicate who can access the content. Since there are several thousand users the content creators should indicate this by selecting which Active Directory groups are authorized to see the content.
The content creators also belong to various Active Directory groups and should not be able to edit content not “owned” by their group.
Solution
For the connection to Active Directory we have modified the Active Directory Integration plugin to store all users’ group in the WordPress database and to also inherit browser authentication.
We wrote a relatively simple but powerful plugin to intercept all WP_Query and filter out all content which the logged in user was not authorized to see.