As designed Invalid Permissions for Unregistered / Unconfirmed user group

[Mouth]

When setting/reviewing user group permission for Unregistered / Unconfirmed (group id: 1), many permission available are invalid and unable to be used for guests. XF exits many functions if $viewingUser['user_id'] is not set, thus regardless of whether an allowed permission is set for that functionality to the Unregistered / Unconfirmed user group, it is ignored anyway.

For example, XenForo/Model/Post.php ...

        /**
         * Determines if the post can be liked with the given permissions.
         * This does not check post viewing permissions.
         *
         * @param array $post Info about the post
         * @param array $thread Info about the thread this post is in
         * @param array $forum Info about the forum the thread is in
         * @param string $errorPhraseKey Returned phrase key for a specific error
         * @param array|null $nodePermissions
         * @param array|null $viewingUser
         *
         * @return boolean
         */
        public function canLikePost(array $post, array $thread, array $forum, &$errorPhraseKey = '', array $nodePermissions = null, array $viewingUser = null)
        {
                $this->standardizeViewingUserReferenceForNode($thread['node_id'], $viewingUser, $nodePermissions);

                if (!$viewingUser['user_id'])
                {
                        return false;
                }

                if ($post['message_state'] != 'visible')
                {
                        return false;
                }

                if ($post['user_id'] == $viewingUser['user_id'])
                {
                        $errorPhraseKey = 'liking_own_content_cheating';
                        return false;
                }

                return XenForo_Permission::hasContentPermission($nodePermissions, 'like');
        }

User group permission for /admin.php?user-groups/unregistered-unconfirmed.1/edit should either;

1. Not display or be available to set at all if it is invalid for guest users
2. Highlight (to the right of the Not Set | Allow | Never columns?) that the permission requires a logged in user.

 

[Chris D]

I don't think this is something that will be changed.

The unregistered / unconfirmed group permissions don't just apply to guests. They apply to users who are in a non valid state, too, and those users will have a user ID so those users would, as your example, be able to like posts and many other similar examples.

Even without that important distinction there is a number of cases where permission checks will be dependent on a number of other conditions being met, including things that might be specific to the content being viewed or interacted with or user privacy.

The permutations are far too great for there to be any solution to that, but primarily the actual meaning of that group in terms of non valid users is the most significant thing.