DocCheck Access

The DocCheck Access plugin integrates DocCheck's OAuth2 authentication system into your WordPress site, allowing medical professionals to log in using their DocCheck credentials. Note: Using DocCheck Access requires the Economy or Business license model. This plugin cannot be used with the Basic license model. Please contact DocCheck for details on available license models. Features

• Adds a DocCheck login button via shortcode or automatic page-level protection
• OAuth 2.0 Authorization Code flow with PKCE for secure authentication
• Two authentication modes: Anonymous Session and WordPress User creation
• Per-page and global content protection with role-based access control
• Configurable scope and user metadata mapping
• Template override support for protected pages
• Hooks and filters for developers to customize behavior

External Services This plugin connects to the following external services: DocCheck OAuth Server (https://auth.doccheck.com) Used to exchange the OAuth authorization code for an access token and to retrieve the authenticated user's profile data. This connection is only made when a visitor actively clicks the DocCheck login button. Please refer to the DocCheck Privacy Policy and DocCheck Terms of Service. DocCheck CDN (https://dccdn.de) The DocCheck login button is a web component whose script is served from DocCheck's CDN. It is loaded only on pages where the [docacc_login] shortcode or page-level protection is active — not on every page. Please refer to the DocCheck Privacy Policy. No data is transmitted to any other third-party service. Requirements

• WordPress 5.0 or higher
• PHP 7.2 or higher
• A DocCheck OAuth client ID and client secret (obtainable from DocCheck)

General Settings Go to Settings > DocCheck Login in your WordPress admin to configure the plugin. You can also open the settings directly from the Settings link on the WordPress plugins overview screen. OAuth Credentials

• Client ID — Your DocCheck OAuth Client ID.
• Client Secret — Your DocCheck OAuth Client Secret.
• Redirect URI — Auto-generated based on your site URL. Copy this value into your DocCheck application settings.

Redirection & Debug

• Default Target Page — The page users land on after a successful login.
• Debug Mode — Logs detailed API and authentication information. Disable on production sites.

Content Protection

• Make all Pages Private — Requires DocCheck login for every page on the site.
• Auto-assign Parent Configurations — Child pages automatically inherit their parent page's protection status.
• Login Button Version — Pin a specific component version (e.g. 3.2.7) or use @latest to always load the most recent version.

User Management Authentication Modes

• Anonymous Session — Users are authenticated via DocCheck but no WordPress user account is created. Data is held only for the duration of the PHP session and is not stored permanently.
• WordPress User — A WordPress user account is created or linked on the visitor's first DocCheck login. Allows persistent storage of user properties and role-based access control.

Role & Metadata

• Default User Role — The WordPress role assigned to newly created DocCheck users. Only low-privilege roles (those without manage_options or edit_others_posts capabilities) are available for selection. Administrator and Editor roles cannot be assigned to DocCheck users.
• Automatic User Creation — Disabled by default. In WordPress User mode, local user creation for first-time DocCheck logins must be explicitly enabled by an administrator.
• Scope & Property Selection — Choose which DocCheck scopes to request and which user properties to store as WordPress user metadata.

Developer Hooks Actions

• docacc_user_created — Fires after a new WordPress user is created via DocCheck login. Parameters: $user_id (int), $user_data (array)
• docacc_user_logged_in — Fires when an existing user logs in via DocCheck. Parameters: $user_id (int), $user_data (array)
• docacc_session_created — Fires when a user is authenticated in anonymous session mode. Parameters: $user_data (array)

Filters

• docacc_map_role — Customize role assignment based on DocCheck user data. Parameters: $current_role (string), $user_data (array), $user_id (int) Note: roles with manage_options or edit_others_posts capabilities are silently rejected for security reasons.
• docacc_protected_template — Override the template used for protected pages. Parameters: $template (string)
• docacc_is_authenticated — Override the authentication check result. Parameters: $authenticated (bool)
• docacc_user_data — Modify the DocCheck user data array before it is used. Parameters: $user_data (array)

Template Functions // Check if the current visitor is authenticated via DocCheck docacc_is_authenticated(); // returns bool // Get the authenticated user's DocCheck profile fields docacc_get_user_data(); // returns array, empty if not authenticated Example in a theme template: Visible only to DocCheck users. Custom Protected Page Template Create doccheck-protected.php in your active theme directory — the plugin uses it automatically. Or override via filter: add_filter( 'docacc_protected_template', function( $template ) { return get_stylesheet_directory() . '/my-protected-template.php'; } ); User Metadata Stored In WordPress User mode, the following meta fields are stored per user (subject to selected scopes):

• docacc_unique_id — DocCheck unique identifier (always stored)
• docacc_profession — Profession name
• docacc_country — Country ISO code
• docacc_language — Interface language
• first_name, last_name — Name fields
• docacc_email — Email address
• docacc_discipline_name — Medical discipline
• docacc_activity_name — Activity type
• docacc_area_code, docacc_street, docacc_city, docacc_state — Address fields
• docacc_last_login — Timestamp of last DocCheck login

1.0.6

• Added a direct Settings link to the plugin row on the WordPress plugins overview screen for faster access to options-general.php?page=doccheck-access.

1.0.5

• Review fix: Removed WordPress auth salt usage from OAuth state. The state parameter now contains only a nonce, while redirect and tracking data are kept server-side in a one-time transient.
• Review fix: Recursively sanitize DocCheck anonymous-session data before storing and before exposing it through helper APIs.
• Review fix: Updated the WordPress.org contributors field to the plugin owner username.

1.0.4

• Review fix: Sanitized the wp_list_pages() HTML returned by the [docacc_sitemap] shortcode before concatenating it into shortcode output.

1.0.3

• Review fix: Renamed plugin-owned global identifiers to the unique docacc prefix, including functions, classes, constants, options, hooks, transients, session keys, user meta keys, role slug, and shortcodes.
• Review fix: Replaced shortcodes with [docacc_login], [docacc_hide_content], [docacc_logout], and [docacc_sitemap].
• Review fix: Removed plugin-owned class_exists() and function_exists() wrappers to avoid silent conflicts with other plugins or themes.
• Review fix: Updated the OAuth callback query var, settings option, admin documentation, developer hooks, and examples to use the docacc prefix consistently.
• Compatibility: Added idempotent settings initialization so the renamed settings option is created safely during updates as well as new activations.

1.0.2

• Security: Restricted the Default User Role dropdown to low-privilege roles only (excludes roles with manage_options or edit_others_posts).
• Security: Added server-side validation in validate_settings() to reject high-privilege roles even if submitted directly.
• Security: The docacc_map_role filter result is now validated before set_role() is called, preventing privilege escalation via custom filter callbacks.
• Security: Added explicit opt-in for automatic local user creation (allow_user_creation), defaulted to off, and defaulted new installs to Anonymous Session mode.

1.0.1

• Review fix: Replaced inline <script> and <style> output with proper WordPress enqueue APIs.
• Added admin JavaScript through admin_enqueue_scripts + wp_add_inline_script() for settings tabs, scope/property matrix behavior, redirect URI copy button, and metabox role toggle.
• Moved matrix CSS and protected fallback template CSS into enqueued stylesheet assets.
• Review fix: Updated register_setting() arguments and adjusted client_secret sanitization to use a dedicated secret-safe callback instead of generic text-field sanitization.
• Review fix: Escaped shortcode callback return output for docacc_logout and sanitized rendered docacc_hide_content output with wp_kses_post().
• Review fix: Removed global session start behavior and introduced lazy, cookie-aware session initialization only in DocCheck authentication/session contexts.

1.0.0

• Initial release.