Trying to understand permissions correctly...

discoian

discoian

Active member
Brain freeze!

I have 4 user groups, guest, member, staff and admin. Each member (apart from staff and admin) will be a "guest" before they upgrade their account through the "account upgrades" link. At that point their secondary group is set to Member.

The guest group has "view" and "view node" permissions set to "allow" everything else is set to "not set"

In node permissions this is where I get confused. I set the permissions for each of the nodes, for the "guest" group most of them are set to "inherit" because how I understand it is that if their secondary group has "better" permissions than their primary group then they inherit the better permissions.

Is this correct?

Also, some of my nodes are inside categories, what sort of permissions do I apply to the categories? The same as the nodes inside it?
 
Sort by date Sort by votes
Your primary usergroup "Guest" will have to have all of the permissions set to either allow or deny. Setting them to inherit will effectively set them to no.

Once you've set your guest permissions up, set only the Member permissions that differ from the guest permissions. Then when they upgrade their new usergroup's permissions will override the guest ones.

As for your nodes, just set up any permissions for categories and they will automatically be inherited by the child nodes. If you don't need any specific permissions for categories, don't set any.
 
Upvote 0 Downvote
Ok i've had another read of the manual.

In group permissions for the Guest usergroup everything is pretty much set to "Not set" apart from the odd "Allow" here and there. From what I understand if the Member usergroup has more "allows" then the permissions of both the "guest" and "member" usergroups will be merged with the guest now taking on the better priviledges.

Now with Node permissions it gets more complicated. I think i'm lost with the terminology...

Never - understand this
Allow - understand this

Inherit - takes it's value from the parent - what does this mean exactly? Parent what? Parent node?

Revoke - again what does this mean? If I have guest permissions set to revoke and member permissions set to allow, if that member's primary group is guest and their secondary group is member they get the allows?
 
Upvote 0 Downvote
Permissions are cumulative but the important point to note is:

Permission value priority is set in this order: (highest priority first)
  1. Never – this will not grant the permission. This can never be overridden, so should be used sparingly.
  2. Allow – this will grant the permission.
  3. Not Set (No) – this will not grant the permission. This is the lowest priority value; any explicit allow will override this.
This may help: http://xenforo.com/help/permissions/
And this: http://xenforo.com/help/user-groups/

Edit: Ninja'ed as I was posting.

Revoke removes the permission which has been set to allow in the user group.
 
Upvote 0 Downvote
Thanks for this, I understand the usergroup permissions now but the node permissions are baffling me. Node permissions are highest priority first but i'm confused by "revoke" and "inherit"

Is it...

If I do not want my guests to have access to a particular node I "revoke" access.
If I do want a member to access a node I "allow" access.

If a member's primary group is "guest" and their secondary group is "member" will they have access to that node or not?

Is a "category" a parent node? What permissions do I apply to that? Same as those inside it and then just set all the nodes inside that category to "inherit" ???
 
Upvote 0 Downvote
http://xenforo.com/community/threads/understanding-permissions.5830/
See if this helps.

The fundamentals should be that the guest usergroup has the base permissions for all of your users, then the secondary groups (member/staff) have the inherited permissions. Example:
Guest may have:
View Node - Allow
Post Thread - Allow
Reply to Thread - Deny

Member may then have:
View Node - not set
Post Thread - not set
Reply to Thread - allow

Only the permissions that differ from your base usergroup (Guest in your case) should be changed.
 
Upvote 0 Downvote
discoian said:
Is a "category" a parent node? What permissions do I apply to that? Same as those inside it and then just set all the nodes inside that category to "inherit" ???
Click to expand...
The parent node is the node right at the top of the tree.
The permissions applied to that node will apply to all child nodes, unless they have specific permissions applied to them.

discoian said:
If a member's primary group is "guest" and their secondary group is "member" will they have access to that node or not?
Click to expand...
Primary and Secondary groups have no relevance when it comes to permissions.
Permissions are cumulative across all groups a user is a member of.

If one of the groups has Allow set then the overall permissions will be Allow.
 
Upvote 0 Downvote
Ok so..

If I do not want my guests to have access to a particular node I "revoke" access.
If I do want a member to access a node I "allow" access.

If a member's primary group is "guest" and their secondary group is "member" will they have access to that node or not?
 
Upvote 0 Downvote
discoian said:
I guess what i'm asking is that if you have a Revoke and an Explicit Allow, the permission is "Allow"
Click to expand...

Jake Bunce said:
Permission Math

Here is some permission math for the combinations that might not be obvious:​

Not Set (No) + Not Set (No) = Overall No​

Not Set (No) + Allow = Overall Yes​

Not Set (No) + Never = Overall No​

Inherited Allow + Revoke = Overall No​

Allow + Revoke = Overall Yes​

Allow + Never = Overall No​

Pay special attention to the Revoke ones:​

Inherited Allow + Revoke = Overall No​

Allow + Revoke = Overall Yes​

Only an explicit Allow (as opposed to an inherited Allow) can override a Revoke. A Revoke is designed to trump inherited access and reduce a user's permissions unless you explicitly Allow (no inheritance) that permission elsewhere in the Node Permissions (e.g. for one of the user's other groups).​

Use Cases

Here are some notable use cases. I may add more later.​

Creating a private forum

Because of the way Revoke works in xenForo you shouldn't use it to restrict a private forum. Instead you should use a special feature in xenForo calledPrivate node. You will see the Private node checkbox when editing the permissions for a specific node. This basically inverts the permissions so that you can specify Allowed groups instead of Revoked groups. This is actually better for group management if you add more groups later.​

Admin CP -> Users -> Node Permissions -> [select a forum] -> Private node
Click to expand...
Jake did the math ;)
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

C
  • Question Question
XF 2.2 Node permissions
Replies
3
Views
418
Stuart Wright
Stuart Wright
L
  • Question Question
bug on the second user group permission
Replies
10
Views
787
Black Tiger
Black Tiger
P
  • Question Question
XF 2.2 How to use Upgrade Users correctly
Replies
2
Views
291
Paul B
Paul B
P
  • Question Question
XF 2.2 Manually Upgrading an account doesn't sem to do anything
Replies
1
Views
213
avalanch
A
D
  • Question Question
XF 2.2 Forum Threads Not Viewable to Guests
Replies
6
Views
322
Mr Lucky
Mr Lucky
Top Bottom