Fixed Permissions "glitch" with restricted child categories

[Freelancer]

I have a "Trial Member" user group that is not allowed to view a certain child category within the XFMG.
They are later added to the User Group that can view the category once they are out of trial, by a trick with "User Group Promotions". So once they end their "Trial Period", the admin can set them to "Clear" in a custom drop down user field and the user group promotion automatically adds them to a secondary user group called "Can View Category" which is then allowed to view the child category (this is not possible in an other way due to the nature of the XFMG permission system).

Now, if you have the permissions you can view every media item which is displayed on the next higher category parent level up to XFMG Index, correct? If you do not have the category permissions you should not see the media item in the next higher category parent level, right?

The bug: For Media Index the above works, no media items from restricted child categories are shown there. But when a user with restricted rights visits a child category that is above the level child category which is restricted (but below media index), it still shows the media items to him.

Is this a bug or a flaw because of the reverse user group promotion when the "trial" is removed?

Sorry if this sounds really crude as description. I tried my best to articulate it. I also tested this with only the XF Core, Default Style and XFMG add-on active. No other add-ons were active.

 

[Chris D]

I'm not sure I 100% follow but something to understand / check is that the permissions aren't actually very advanced and aren't recursive like they are in, for example, node permissions.

So you can block access to a parent category, but if it's children categories are visible then it is possible to see contents from them.

You need to explicitly set the permissions in every single category.

If that all checks out ok I'll do some testing.

 

[Freelancer]

So you can block access to a parent category, but if it's children categories are visible then it is possible to see contents from them.

I blocked access to a third level child category and actually the category is not visible in the category sidebar widget. However, when a user with the restricted access to that category visits a category above that but below index, he can actually see the contents of the restricted category listed on the respective category index. But when he clicks onto a media item, he gets a permission error (like "you have no permission to view this item"). If he visits media index, the items are not shown.

Navigation Widget
Media Index – (no restrictions can be set) items not visible

Categories Widget
Top level Parent Category – (no restrictions, items from 3rd level cat visible)
----- 1st level Child Category – (no restrictions, items from 3rd level cat visible)
--------- 2nd level Child Category – (no restrictions, items from 3rd level cat visible)
------------ 3rd level Child Category – (RESTRICTED, no access to category, category not visible)

It looks like if the next higher category overrides (or does not compute) the permissions of its child. So this is why I would call it a "glitch".

The only workaround I could think of would be to make the 3rd level restricted category to a top level category, so no higher categories (except "index") are above it, but it is only a workaround.

 

[Chris D]

This should be sorted now for the next release, cheers.

 

[Freelancer]

Awesome. Thanks @Chris D