NodePermissions funkiness

[digitalpoint]

Affected version

2.2.12

Maybe this is by design, or maybe it's a bug... I'm not sure. But if you look in the xf_node_type table, there's a column for permission_group_id, which should be which permission group applies to that node type. At least you'd think so.

If you look at XF\Permissions\NodePermissions->setupNodeTypes(), the logic is to include permission groups that ANY node type uses (not just the node type you are looking at).

It makes for some weirdness... for example if you setup permissions for a Page node, you have all the permissions available that is for Forum nodes... Things like Post new thread.

It gets even weirder when you have multiple node types that have unique permissions. For example, I have a Marketplace node type where the xf_node_type.permission_group_id is set to marketplace.

Now any possible node type has all the permissions available from ALL node types. Forums have marketplace permissions available (and vice versa). Now "Link forum" not only have things like Create thread, they have permissions for selling and buying things. This would only get weirder and weirder the more node types you had with permissions.



Isn't the point of xf_node_type.permission_group_id to only present permissions that apply to that node type? Right now it's presenting all permissions for any node type to every node type.

 

[Xon]

This isn't obvious, but it does this for sub-forum support by only including the permissions child nodes will look at instead of 'the world'.

The xf_node_type.permission_group_id is used in getFinalPerms/getFinalAnalysisPerms to shrink the permission cache value to the minimal set for storage.