Do you prefer a positive or a negative approach to permissions?

S

Sabermaster

Member
As the headline suggest: which way do you prefer? I currently have a few thoughts on the issue.

To give you the background: I am running a forum for the flight crews of the airline for which I fly as well. We have several groups which need to be kept (at least in part) separated for a variety of reasons.

Now there are two possible ways to handle this.
I can use a baseline set of permissions which allow users to view all forums and then disallow certain forums from being viewed.
Or I can give no one permission to view anything at all and then allow it only for certain forums.

I currently prefer to give everyone general permission to view forums and then disallow for example the cabin crew from viewing the technical topics of the pilots.
The reason for this is, that I need fewer permissions to be set in total.
The downside is, that you always have to kind of thin twice because you are assigning permissions in a negative way. (as in withdrawing it)

Which way do you think is preferable and for what reasons?
 
XenForo really is built around "positive" permissions. You set a baseline of permissions that everyone had in the Registered usergroup (which everyone should have as their Primary Usergroup). After that you create other user groups and in these you only "add" the extra permissions that are required for members of that user group (as they will have the other permissions already from the Registered usergroup). This method is the one with the least permissions set and there's no need to use the Never permission which gets some admins in a mess at times. Never should generally never be used as it cannot be overridden (there's a few exceptions such as creating a "naughty step" group where permissions are removed from members who misbehave).

More information here:

https://xenforo.com/community/resources/implementing-permissions-across-multiple-user-groups.358/
https://xenforo.com/community/resources/understanding-permissions.360/


As for forums that you want viewed by some users only, the easiest way is to make those forums private and then Allow the 'View node' permission for the desired user group(s) or user(s). There is the Revoke method that's equally valid but I prefer the "positive" approach". Details here:

https://xenforo.com/community/resou...user-groups.358/updates#resource-update-16595
 
@Martok I do appreciate your input, even though I certainly do not agree with it 100%.

I have just mapped out the number of permissions I have to set the way you are suggesting and counted the number of permissions I have currently set.

Turns out, that at least in my case the approach with private nodes results in many more permissions to set then the opposite way.

I do not use „never“ at all.
I currently have revoked permissions in 21 specific cases (each single „no“ was counted as one case).
If I would go the other way and use private nodes (which is the majority of my nodes that would require this) I would end up with around 60 to 70 permissions granted instead.
The second I declare a node private (let’s say for example pilots tech talk) I have to grant permissions to pilots, to moderators and to admins.
The way it is set up right now I only have to revoke permission for the cabin crew.
Same applies for almost any other topic in my forum, as generally admins and mods are supposed to see it all, while almost all other nodes are either for pilots or for cabin crew, with only a few for common interaction.

It actually took me a while to get used to the approach of making everyone’s primary group „registered“ and only assigning subgroups based on needs, but I have gotten used to it and it works really well, except when you start playing with private nodes and almost all your nodes exclude one usergroup.
 
It really depends on how your groups are set up. For your needs, it does sound like Revoke is the best approach if it's only 1 group that you don't want to access. For the way my site is set up, there's just one group that accesses the private nodes, so Revoke would be more work for me.

I guess that's why there's 2 ways of creating private nodes (as detailed in the link) so admins can choose the best one for their needs. :)
 
Sabermaster said:
I can use a baseline set of permissions which allow users to view all forums and then disallow certain forums from being viewed.
Click to expand...
And that's where the problem lies. Until you have restricted them, they will be able to view anything. For that simple reason you should exclude registered members from viewing anything and add them to groups.
 
yoloswaggerino said:
And that's where the problem lies. Until you have restricted them, they will be able to view anything. For that simple reason you should exclude registered members from viewing anything and add them to groups.
Click to expand...

Which again brings up its own problems, but that is actually not a bad idea I might add. Prevents all the trouble of setting extra permissions for admins and mods when using the option with the private nodes.

Edit: I must say that I have now gone with your approach. That has yet been the easiest of them all and the most straight forward as well. Even though it might not be suitable for every forum out there, it was the easiest approach for my use case. I just learned a lot about rights in XF!
Thank you!
 
Last edited:
You must log in or register to reply here.

Similar threads

C
  • Question Question
XF 2.2 Node permissions
Replies
3
Views
418
Stuart Wright
Stuart Wright
C
  • Question Question
XF 2.2 Importing a portion of a phpbb3 database
Replies
2
Views
298
chris p
C
E
  • Question Question
XF 2.2 How to make all registered users reply like unregistered w/ reply permissions?
Replies
10
Views
352
EchoRomeo
E
X
Uninstalling an add-on breaks other add-ons which implement a permissions using interface groups from the first add-on
Replies
9
Views
597
Xon
X
X
XF 2.2 External guest posting prompt to register
Replies
1
Views
154
x6011718
X
Top Bottom