• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug Permission inconsistency

Affected version
2.0 Beta 3

Snog

Well-known member
#1
If a forum has all of it's permissions set to "Yes" for the registered user group, except for "View node" which is set to "No", an automated thread can be made in that forum using the current user's information.

However, an attachment can not be made to that automated thread.
 

Mike

XenForo developer
Staff member
#2
When you say "automated thread", I assume one you've created via a service. In which case, permissions are not generally involved in that.

How are you trying to add an attachment though? Permissions shouldn't be involved with that for the most part.
 

Snog

Well-known member
#3
When you say "automated thread", I assume one you've created via a service. In which case, permissions are not generally involved in that.

How are you trying to add an attachment though? Permissions shouldn't be involved with that for the most part.
Yes, the thread is created via the creator service.

The attachment is via the helper_attach_upload template. You're able to upload the file, but then you immediately get this when the upload completes...
noperm.png

Give the group permission to view the forum, the error goes away and the attachment can be posted with the thread.
 
Last edited:

Mike

XenForo developer
Staff member
#4
This is something you'll need to take steps to manually resolve. You wouldn't be able to create a thread (or a post) in that forum when done through the standard controller, so it doesn't make sense for attachments to be inserted. A lack of viewing permission will always supersede any other permissions (by virtue of the fact that it should be checked before verifying any further permissions against a piece of content).

You may need to implement either a custom attachment handler to fit your needs or point to a custom attachment uploader end point to change this behavior.
 

Snog

Well-known member
#5
I was hoping not to bypass the normal permission system and the extra code. :)

But a quick handler does the trick.