Permission terminology is confusing

[Sarah Vandegoor]

The difference in permission terminology between the user/user group permissions and the node permissions confuses me.
For user/user group it is set in this order: (highest priority first)

• Never – this will not grant the permission. This can never be overridden, so should be used sparingly.
• Allow – this will grant the permission.
• Not Set (No) – this will not grant the permission. This is the lowest priority value; any explicit allow will override this.

For nodes it is the following: (highest priority first)

• Never – this does not grant the permission and cannot be overridden.
• Allow – this grants the permission.
• Revoke – this does not grant the permission, but can be overridden.
• Inherit – this takes the value from the parent.

If I go to an actualuser/user group in my xenForo trial the various permissions are presented in colums with colors

• Never: Red
• Allow: Green
• Not set: Gray

If I go to an actual in xenForo trial the various permissions are presented in colums with colors

• Never: Red
• Revoke: Orange
• Allow: Green
• Inherit: Gray

I would say that the order of cols would reflect the priority (left col: lowest, right col:highest). This is OK for the user/user group.
For the node permissions however, the col "Revoke" is after "Allow" and this what confuses me.

So what is "Revoke"? Judging by the explanation in the documentation it seems it is the same as "Not set". But "Not set" has a lower priority as "Allow" and so does "Revoke". But for real it looks as if "Revoke" has a higher priority then "Allow", it has also a distict color: Orange.

Can someone clarify this for me?
Thanks

 

[Paul B]

Permissions are cumulative.

Never overrides everything.

Revoke overrides an inherited Allow.

An explicit Allow overrides a Revoke.

 

[Sarah Vandegoor]

Thanks Brogan. The usage of Revoke is still not clear to me. Maybe a simple example would help?

 

[wang]

Thanks Brogan. The usage of Revoke is still not clear to me. Maybe a simple example would help?

If you have set View threads by others: to Allow for example, then if you check Revoke for a certain group at a certain Node, then the members belonging to that group will not be able to view threads by other for that forum.

 

[Mike]

Thanks Brogan. The usage of Revoke is still not clear to me. Maybe a simple example would help?

You have a particular forum where you only want moderators to create threads. You revoke the create thread permission from registered users (as if you didn't, they would likely inherit an allow permission from above/the group level) and then add an explicit allow in that forum for moderators. As never has the highest priority, it can't ever be overridden, so you have to use revoke in this scenario.

 

[Sarah Vandegoor]

Thanks Wang and Mike, for your replies. So, judging by your scenarios should I read "Revoke" as an explicite "Not allowed"? And why isn't there a "Revoke" in the user/group permissions aswell?

 

[wang]

Yes, the Revoke can be seen as Not allowed for the specific permisison that it will be applied to. Revoke affects the group permissions. I do not see how it can be in theere, because the group permisisons are in general. Revoke will be included in specific permisisons for them, like in the examples given above.

 

[Mike]

Revoke removes a permission that has been granted, but in a way that can be overridden again. As the default (not set) at the group/global level is already no, there doesn't need to be an explicit revoke (it is effectively already applied).

 

[Sarah Vandegoor]

Ha, now I understand! Wang, Mike, I thank you both for your quick replies. Cheers.