Kistenstein Club Document Portal

Kistenstein Club Document Portal turns any WordPress page into a private document library and member area — a Nextcloud-style file manager perfect for associations, clubs, sports teams and small organisations that need to share documents with their members.

Members open a familiar file explorer with folders, drag-and-drop upload, PDF preview and search. Every area is protected — either by WordPress role/group or by a single shared password — and files are delivered securely through WordPress so they can never be downloaded by guessing a URL.

Key Features

• Nextcloud-style file explorer — folder navigation with breadcrumb trail
• Upload — button and drag-and-drop from desktop
• PDF preview — inline browser preview via modal iframe, no download required
• Drag-and-drop move — drag files or folders onto other folders or breadcrumb items to move them
• Folder management — create, rename and delete folders
• File management — rename and delete (soft-delete) files
• Soft-delete trash — deleted items are kept for a configurable retention period (default 180 days)
• Admin trash view — restore or permanently delete items; configurable retention directly in the trash panel
• Two protection modes per area — choose for every area whether it is restricted to a WordPress role/group, or unlocked with a single shared password
• Upload permissions by role — define which WordPress role may upload, rename and delete files
• Secure file delivery — all files are streamed through WordPress, and the upload folder is blocked from direct HTTP access, so protected files cannot be downloaded by guessing their URL
• Page password manager — editors can view and update the shared password of a password-protected page directly inside the portal (optional)
• Fully translatable — every string uses the kistenstein-club-document-portal text domain; the interface follows each user’s WordPress language

How access protection works

When you set up an area in the wizard you pick one of two modes:

• Only a specific role / group — only logged-in users who hold the chosen WordPress role can open the area. Each member needs their own WordPress account. Best when you want individual accounts (e.g. a board with named members).
• Shared password — the area’s page is protected with WordPress’ built-in page password. Everyone uses the same password — no individual accounts needed. Best for a members’ area where you simply hand out one password.

In both cases files are delivered through WordPress and the storage folder is protected from direct access, so the chosen rule is always enforced — not just hidden in the listing.

Block editor

Prefer the block editor? Add the Document Portal block to any page and pick the folder in the sidebar — no shortcode required. The classic shortcodes below work exactly the same.

Shortcodes

Renders a file explorer for the named sub-folder. The area’s protection mode is configured in the setup wizard.

Adds a shared-password manager panel for editors (requires the Password-Protected Page ID to be set under File Portal → Advanced).

Trash view with restore and permanent-delete actions. Visible to administrators only.

Audit log of all file actions (upload, download, delete, restore …). Visible to administrators only.

Configuration

1. After activation you are taken to File Portal → Set Up.
2. Tick the areas your association needs, name each page, and choose how each area is protected (role/group or shared password).
3. Pick which role may upload and manage files.
4. Save — the pages are created automatically. Add [kcdp_trash] to a restricted admin page to manage deleted files.

Server requirements for protected areas

Protected files are blocked from direct download with an .htaccess file written into the upload folder. This is honoured by Apache and LiteSpeed. If you run nginx, add an equivalent rule that denies direct access to the portal’s upload folder (e.g. location ^~ /wp-content/uploads/file-portal/ { deny all; }), so that protected files are only reachable through the plugin.

Privacy

When a file is deleted, the following metadata is stored in a trash index file on the server: the original file path, the WordPress user ID and display name of the user who deleted it, and the timestamps for deletion and scheduled expiry. The audit log additionally records, per action, the acting user, a timestamp and the request IP address. This data is stored only on your server and is never transmitted off-site.