I’m developing a WP site that lists expensive properties (villas, penthouses, etc) for rent. My client has an agreement with certain schools to list some cheap properties exclusively for their students, and he has previously (in his hard-coded-by-hand html site) had a set username+password that he gives to the schools, to give to their students (the student rentals section being access controlled via htaccess).
For their spiffy new WP site, they don’t want open/public registration, as the cheap properties are for specific school students and not the general public. But neither do they want to moderate each registration. Additionally, many students will use their own private email accounts (eg gmail), so I can’t limit registration by domain name.
A user-friendly thing to do would be to create a single user (a “demo user”, if you like), and give this username+password to the schools for their students — all students would then log in under this one user profile.
However, it just takes one malicious user to change the profile’s password and email-address to cock it up for everyone.
In a nutshell, I need a way to create a sub-category of Subscriber, where they can read private posts but NOT edit their own profile, and I can’t find anything more “atomic” than the “Read” capability, which seems to include both “read posts” and “edit your own profile”.
Now, there are a number of ways I can think to do this in WP, but I’m not sure if they will work (or are even possible), and which would be “best practice”.
1) Use a Capability manager plugin — I haven’t found one that gives the option to disable “Edit Your Profile”. Open to suggestions.
2) Remove the User SubPanel admin menu and redirect to the front-end after login.
3) Some sort of “Demo User” plugin?
4) The other alternative is to restrict or otherwise password protect registrations, but how to do this effectively, without too much hassle on the moderator/admin side, and without too much loss of usability on the end user’s side?
I initially thought to have “public registration” enabled but just access-control the register/login page with a site-wide username+password which we would issue, but (a) that would be annoying as you’d have to essentially “log in” twice (once for apache and once for wordpress), and (b) I tried using htaccess via AskApache’s Password Protector plugin, but I couldn’t get around the permalink/404 issue, despite following the example and putting ErrorDocument in the htaccess file, and a blank error.html file in my root.
So there you have it… my l33t g00gl3 sk1llz have failed me. My wordpress-fu is not strong.
This solution is purely cosmetic, in that it simply hides via jQuery the fields on the user profile page, but that effectively removes the ability for the user to change the password (admin will still see the fields, and can change any time). Add this to your theme’s functions.php file, and you’re done.
You can hide the other blocks, too, if desired… just duplicate the lines and change the h3 contents…
For what you’re describing, hiding the entire User Profile admin subpanel could work too, but this is a little more precise.
this was interesting function with jQuery and worked … but the problem is that the code blocks are still present so when you “view source” all the bio tables are still there … thus this solution would give me pause on security level per a DOM editor like Firebug which likely could still manipulate the fields given they show in page view source ..??..
if you don’t want users to edit their profiles – create them and change the permission on mysql users table.
like this you will be the only one able to create users and update profile.
this is quite simple, requires no plugin
hope i am answering your question
Turns out, the simplest solution in the end was to use one of the “Invite Code” plugins, so that only people with a specified invitation code could register. I ended up using Pie Register.