XF 1.4 Registered user bypassing permission

[Zynektic]

Hi there,

If you see the attachment you can see registered usergroup cannot create a new thread in the forum as seen at the top of the image. This has worked perfectly fine but since updating to 1.4.8 a user managed to bypass the 'revoke' permission and make a thread.

I confirmed the user is not in another usergroup other than the default one 'Registered' and as you can see, the user permission is set to revoke which worked fine until we updated to 1.4.8.

Any ideas?

 

[Paul B]

Can you run the permissions analyser on the member to double check the results for that node?

Do you have any add-ons installed?
Is the problem still apparent with add-ons disabled?

 

[Zynektic]

The only thing I changed was updating to XF 1.4.8 but give me a few minutes and I'll go check.

 

[Zynektic]

Definitely cannot post on that, this is the result on that specific node.

It worked fine until I updated to 1.4.8 and no other add-ons have been installed (the [AD] Core/Shop issues I posted earlier were on a test forum).

 

[Zynektic]

Also, I created a new user and they have no access to make a new thread there.

As per the screenshot there is a 'New Thread' icon to the top right on my Admin account and on a new user there is not so I am unsure how he has bypassed this?

 

[Mike]

Are you sure the thread wasn't moved there? (You can check moderator actions in the thread.)

There's nothing that would cause this from the upgrade to 1.4.8 except that it would have rebuilt permissions so the cache could have been wrong before, but permission analysis should indicate the actual cached values.

This might be a rare case where testing permissions should confirm whether or not the post new thread option exists in that forum. If it doesn't, then it's very likely something else is the cause.

 

[Zynektic]

Okay, for some reason it showed no moderator moving it, I cleared all my cache and checked again and it shows a moderator moved it. Now I have another issue.

When assigning moderators to specific sections it is allowing them to move threads from sections they do not moderate. Is this because on the moderator usergroup they have permissions set there which allows full board access meaning I should remove all permissions in the moderator usergroup and only use the banner styling then set permissions where I add the moderator on the ACP to restrict it to only that area?

 

[Martok]

Permissions set in the moderating (and indeed other) user groups are global permissions. If you want the permissions to apply only to the forum a member is moderator for, use the permissions in ACP > Users > Moderators

 

[Zynektic]

Thanks, worked that out earlier and was just about to reply here.

However, for Global Moderator and Administrator if done in the ACP > Users > Moderators/Administrators I do not need to do the usergroup permissions correct?

 

[Martok]

Correct, though for Super (Global) moderators it's probably easier to assign their permissions via a user group if they all have the same permissions. This is because if you ever need to add/amend/remove permissions in the future then you can do it once in the user group for all super moderators rather than having to make the change for each one.

 

[Zynektic]

Okay thanks.

I did follow Brogans guide but never realised that if you do it to the usergroup for standard moderators it does them globally, oops.