XF 2.0 Group Permissions Issue

[sip]

User is in default registered group and that group has no read content right to threads in certain forums -- 4 in nos
Call It F1, F2, F3, F4

Promotions are set based on Post count and works fine
On 5 posts User is added to Secondary group L1 with View Thread Contents for Forum - F1 (but not F2/3/4)
On 12 Posts User is added to secondary group L2 with View Thread Contents for Forum - F1, F2
On 19 Posts User is added to secondary group L3 with View Thread Contents for Forum - F1,F2,F3,F4

Primary user group remains Registered which as no View Thread content rights to F1, F2, F3, F4
However, I find that unless I assign View Thread contents to all these user group, Users in L3 group cannot view contents of thread.

Am I setting things wrong or this is a BUG?

 

[Chris D]

First step is to use "Analyse permissions" under Admin > Groups & permissions. Type in an affected user's name (who is in group L3) and an affected forum and that should give some info as to where those permissions are coming from.

 

[sip]

Did a Quick check for one Forum (F3) and here's what I get:

Registered Yes
L1 Yes
L2 Yes
L3 Yes
F3 - Registered No

Then, For 2nd group set to No and for the Node I get this
Registered Yes
L1 Yes
L2 Yes
L3 Yes
F3 - L1 No

The user is in group Registered
Subgroups - the other three coming from three promotions.

So, even if in Higher Group, if anyone of the lower group has No, that takes precedence.

 

[sip]

Or is it that we have to set View Thread Content Globally to "No" for each user Group and then go about modifying every forum's permission for each group to a Yes selectively?
That would be humongous task.

 

[Martok]

Or is it that we have to set View Thread Content Globally to "No" for each user Group and then go about modifying every forum's permission for each group to a Yes selectively?
That would be humongous task.

Not at all. Having "View Thread Content" set to Yes for the Registered User Group, then for the relevant nodes setting the "View Thread Content" node permission to No for the relevant user groups will work. I've just double checked this too on my 2.0 RC 2 install and it works as expected.

The issue that you have, I think, is that you are adding the users to all of these user groups. As such, a user in L3 won't see forum F3 if they are in L1 and L2 and you have removed the node permissions for those groups. User group permissions are cumulative. You would need to explicitly set the "View Thread Content" permissions in the nodes to Yes for the L3 group to overcome the No's set in the L1 and L2 groups. See this guide for more info (written for XF 1.5, so for 2.0 Allow = Yes and Revoke = No)

https://xenforo.com/community/resources/understanding-permissions.360/

Your other option, rather than do this, is to set your user group promotions so that when a user is added to L2, they are removed from L1, when they are added to L3, they are removed from L2. That would be done by using the "is not a member of" criteria.


For L1, you set it so they are not a member of L2.
For L2, you set it so they are not a member of L3.

A user gets promoted to L1.
Later the user gets promoted to L2. Once in L2, they no longer meet the criteria for L1 and so are removed from L1.
Later the user gets promoted to L3. Once in L3, they no longer meet the criteria for L2 and so are removed from L2.

Going this route, you could then just remove the "View Thread Content" permissions in each group for the relevant nodes.

 

[sip]

Thanks @Martok
What happens if we set

Registered Global - Yes
Registered for F1 thru F4 - No

Guess my problem is because of the second condition. I will give yet another try. But, currently Registered - No on F1-F4 is the one that gets honored.

 

[Martok]

Registered Global - Yes
Registered for F1 thru F4 - No

That will prevent everyone (as all users should have the Registered group as their primary group) from viewing thread contents in F1 - F4. You would then need to set "View Thread Content" to Yes for the (secondary) usergroups that you do want to see those nodes.

 

[sip]

That will prevent everyone (as all users should have the Registered group as their primary group) from viewing thread contents in F1 - F4. You would then need to set "View Thread Content" to Yes for the (secondary) usergroups that you do want to see those nodes.

Yes I had done that and it was failing. Will try again tonight so that there's less of user complains
I had done this -- which failed

Registered - Global YES
Registered -- F1 thru F4 --- NO
L1 -- F1 --- YES
L2 -- F1,F2 --- YES
L3 -- F1,F2,F3,F4 --- YES

Will try this again after making sure (by modifying conitions and re-running promotions) that there's only ONE secondary group assigned.
If that fails, then probably only way out for me would be to set

REGISTERED - Global NO
Then selectively SET all relevant forums REGISTERED YES (barring F1 thru F4)
And then set L1 through L3 the permissions on F1 thru F4.

 

[Martok]

REGISTERED - Global NO
Then selectively SET all relevant forums REGISTERED YES (barring F1 thru F4)
And then set L1 through L3 the permissions on F1 thru F4.

Don't resort to this, you should absolutely not have to do this. The solution I gave will work and if for some reason it doesn't we need to get it resolved.

 

[sip]

Don't resort to this, you should absolutely not have to do this. The solution I gave will work and if for some reason it doesn't we need to get it resolved.

Ok, my first (and only attempt) per your advise would be:

REGISTERED - Global YES
F1-F4 - NO

ANd then set F1-F4 individually for L1 through L3 and see if it works.
If it doesn't, then since RC2 isn't a supported version I can't even give access to admin over ticket and hence will wait for stable.

Thanks a lot. Shall keep this thread updated.

 

[sip]

Don't resort to this, you should absolutely not have to do this. The solution I gave will work and if for some reason it doesn't we need to get it resolved.

Ok this worked fine.
Only thing (not so necessary/important) is that I still can't get the user removed for previously assigned lower levels in the secondary group.

 

[Paul B]

You can by implementing what Martok suggested previously.

set your user group promotions so that when a user is added to L2, they are removed from L1, when they are added to L3, they are removed from L2. That would be done by using the "is not a member of" criteria.


For L1, you set it so they are not a member of L2.
For L2, you set it so they are not a member of L3.

 

[sip]

You can by implementing what Martok suggested previously.

Thanks!

I have modified the user promotions criteria. Will keep a watch as how things change once users log in. As Old cases where all three levels are active. Running cron manually doesn't change for users who even logged a week back.

 

[Martok]

Thanks!

I have modified the user promotions criteria. Will keep a watch as how things change once users log in. As Old cases where all three levels are active. Running cron manually doesn't change for users who even logged a week back.

I'm not sure that someone logging in a week ago is considered as recently active and running the crons won't sort this. What you can do, which will sort the promotions for all users, is use the Rebuild User Group Promotions function in the ACP (search for rebuild caches to find this).

 

[sip]

I'm not sure that someone logging in a week ago is considered as recently active and running the crons won't sort this. What you can do, which will sort the promotions for all users, is use the Rebuild User Group Promotions function in the ACP (search for rebuild caches to find this).

Thanks. That sorted it.
However, I am still clueless on one point. I have my promotions based on post count

1. Registered - Everyone gets this as primary group -- fine
2. L1 -- Member of registered - Min post 5
3. L2 -- Member of registered - Min post 12
4. L3 -- Member of registered - Min post 19
5. L4 -- Member of registered - Min post 99

Now, if i try removing the preceding group by assigning Max post to each then removal of previous assigned subgroup takes place but that also removes assignment of all members in previous group

For example

L1 - Min post 5 max post 11
L2 - Min Post 12 max post 18

Now L1 gets removed from a user with 18 posts but the user doesn't get assigned L2.
Same thing happens if i set

L3 min post 19 max post 99
L2 gets removed but L3 is not assigned to the user with say 28 posts.

I tried your way of removing from sub groups and it yielded similar results.

 

[Martok]

It should work if you are setting both "User has posted at least X messages" and "User has posted no more than X messages" in each user group (as long as there is no crossover which there doesn't appear to be from your description). You would need to check the user change log to see what happens to a user after the user group promotions are carried out to find the issue. Also it might be an idea to post screenshots of the user group setups if you are still having issues as it may aid in spotting any errors.

 

[sip]

Thanks @Martok
Tonight, my timezone, will re run everything step by step setting the min max values and then check the user change logs

No, there's no over lap.
Ranges are
5 -11 -L1
12-18 -L2
19-99 -L3
100+ -L4

Everything wrt user access is working fine.
Just that the lower Levels need to be removed.