MyBB Community Forums

Full Version: Cascading usergroup moderator permissions broken
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
If you create a user moderator on a category, and enable, say, open/close threads and stick/unstick threads, the user will have these powers in all forums inside the category. If you then add them as a moderator again to one of the forums inside this category, and only give them the ability to stick/unstick, then they lose the ability to open/close threads in this specific forum. This is correct.

However, the same does not apply to usergroup moderators. Using the same example as above, the moderators would still be able to open/close threads in the forum were specific moderator permissions were set, where they should only be granted stick/unstick permissions.

The issue is that in get_moderator_permissions, when setting permissions for users, it checks if the value is 0:

// Figure out the user permissions
if($value == 0)
{
	// The user doesn't have permission to set this action
	$perms[$action] = 0;
}
else
{
	$perms[$action] = max($perm[$action], $perms[$action]);
}

This will override the 1 set at category level with the 0 set at forum level, thus removing the ability to open/close threads (again, correct).

However, a few lines down when setting permissions for usergroups, it doesn't do this:

$perms[$action] = max($perm[$action], $perms[$action]);

Simply using the same code for usergroups as we do for users fixes the issue.

Usually in MyBB, we say a yes overrides a no - i.e. you can be in 10 groups that disallow a permission, but 1 that allows it, so you will be allowed. However, I think moderator permissions are a bit different.

Personally I think usergroups should behave the same as users, as it is reasonable to want to override permissions for a specific forum, maybe 3 levels deep, while setting everything else on a category level. This already works for users, just not usergroups.

Ideally, these permissions wouldn't be set up with a simple yes/no, they really need an 'inherit' option. This way, when you edit the moderators on specific forums, you could choose whether to specifically restrict a permission, or keep it in line with the permissions set on the category. However, this is best suited for 2.0 Big Grin
I can confirm this issue, simple to fix provided in the first post.
Hi,

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/3233

Thanks for contributing to MyBB!

Regards,
The MyBB Group