Fixed "Depends on permission ID" doesn't seem to actually do anything

Jake B.

Well-known member
Affected version
2.1.6
I have a "viewX" and "addX" permission in an add-on, the "addX" permission has "viewX" as the "Depends on permission ID". Both permissions are in the same group, however, I am able to set the "addX" permission directly to a user, user group, or through the moderator permission interface without assigning the "viewX" permission first. Additionally, the permission still returns true even without the dependent permission having a value set
 
We've just been looking into this, and it appears to have behaved the same since XF1, so we are giving serious consideration to just dropping the field completely as it's a bit vestigial and our own permission checks tend to ignore its existence anyway.

We've actually just uncovered a commit from July 2010 where we essentially commented-out the code that would have allowed dependent permissions to work.

Anyway, will report back with our decision.
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.0 Beta 6).

Change log:
Change the logic of `Permission/Builder->applyPermissionDependencies` such that the child (dependent) permission can only be `deny` if the parent permission is not positive (`allow` / `content_allow`)
There may be a delay before changes are rolled out to the XenForo Community.
 
This seems to be the best solution. I've only applied it to 2.2 as it may well change some expected permission combinations, so probably needs to be reviewed along with other 2.1 to 2.2 changes when applied to a live community.

1599486530108.webp
 
Back
Top Bottom