So found something I would call a bug or maybe I am not using the permissions system correctly. I have been setting permissions only for those groups I want to have access to a forum and leaving the rest as "Inherit/Default" so testing group memberships and making sure they can only see what they should I assign my test user to the groups as a secondary user.
Well I found out today that someone managed to become a primary user and was no longer in the registered user group and was able to view forums that they should not have been able to.
I went through several testing iterations to find out if they were just a primary user in a group and not a registered user things were incorrect. However once they were a secondary registered member things were fine.
Overall this permissions system confuses the heck out of me and I am a full time senior php developer. I am not sure if you guys have addressed this in 1.4 as I have yet to start working on my upgrade to it.
Hi,
Sorry, not sure what you mean by "someone managed to become a primary user and was no longer in the registered user group" - did they manage to change their primary usergroup themselves without AdminCP access?
How they did it at this point is less my concern than why the permissions differ from primary user to secondary user.
The permissions only differ if the user had a primary group other than "Registered" and was not a secondary member of the group "Registered".
Basically for the other group I set permissions to see forums X, Y & Z and somehow after their primary group was changed (or got changed) they were able to see restricted forums A, B & C.
I plan on upgrading to 1.4 after I update all my custom plugins so hopefully this bug doesn't exist there.
I'm still not sure what you're trying to say here.
By default, Registered users are allowed to see all forums, thus, unless you specifically specify that users who are a member of the Registered users group can't view a particular forum (regardless of it being primary or secondary), they'll be able to see it.
This is the same for any other custom usergroup you make - you have to specifically say that they're not allowed to view a particular forum (since the default "yes" overwrites any default "no").
Yes I understand that... but what is not happening is the default "no" in this case.
A user was just a member of this custom group. Neither group had access to these forums.
BUT somehow because the user was not a member of the "Registered" group and was a "Primary" member of the "Custom Group" they were able to see these forums.
Quote:Yes I understand that... but what is not happening is the default "no" in this case.
I found out the hard way there isn't a default NO in mybb. You should be VERY explicit in your permissions and create a test user to play with it to ensure it works as you want. It's a tricky system. Mybb gives permissions if there are any YES perms but just because you see a NO doesn't mean it's no.
It's hard to explain...play with it and you will find out what I mean. I have an extra 6 groups at mybb each with their own custom forums (some hidden) and also the hidden staff area. It was a total pain to get it right and it still isn't 100%. Turns out that even though I have permissions set to NO for viewing forum...a user can still fake a post into it by changing a form. So you have to be VERY explicit to what you want.
Also custom groups that are member joinable seem ever weirder for their default permissions. It's hard to get a grip on it all but just you get it setup right and figure it out. I am about 95% sure I can do what I need but heck..explaining it isn't easy.
The permissions system almost turned me off of MyBB. However I thought I had it figured out until this bug showed up. I test every permission out and I test it by adding a test user to the group as a secondary user. However this is a primary user bug. I shouldn't have to check a user as a primary and secondary to see if they are going to see something they shouldn't.
The thing I shouldn't have to do is every time I add a custom group is to go through every forum and explicitly give no permissions to that user for that forum. With the number of forums I have that is just not practical.
Overall a forum admin shouldn't have to worry about this kinda stuff ya know?
Quote:Yes I understand that... but what is not happening is the default "no" in this case
Alright here is what I did. I use PRIMARY for registered and VIP group only.
Then I have custom groups which are user joinable. Each I have it set so that permission for "can view forums" is NO. But since this is their secondary it doesn't matter because mybb wants a YES. Any YES gives them a permission. I hope you understand. You will figure it out...you just have to wrap your head around it. You do have to do a lot of setting up for group and forum permissions if you add new groups or forums. I have about 30 forum categories and now about 12-14 groups.
I think any permission system is going to have complexity. The more complex the more control. What's poor imho is the documention and explantion of how it all works. There aren't clear cut example of how to setup a custom group to view a custom forum category yet deny them access to OTHER custom forums categories. It's a YES and NO setup and just remember that one YES and they get permission.
Make sure you have the NO's set where you need them too. As I said...create test member...alter their group and play with it. You wil get the hang of it.