Resource icon

Understanding Permissions

Jake Bunce

Well-known member
Jake Bunce submitted a new resource:

Understanding Permissions (version 1.x) - Explanation of XenForo's permission system.

Types of Permissions

Not Set (No)
Not explicitly set. Effectively a No if there is no Allow in other applicable permission sets. In the Node Permissions this is Inherit which means that permission is inherited from the higher level User Group Permissions and User Permissions.

Allow
This is like a Yes. The permission is granted.

Revoke
This is only used in the...​

Read more about this resource...
 
Ok, I have read through all the permissions articles I can see but I guess im just stuck in a vB mind set.

I have this hierarchy (example)

  • Staff Forums (category)
    • Admin Forum (admins only)
    • Management Forum (admins + management)
    • All Staff (admins + management + moderators)
Would this be the best way to set this up? As I understand it, it should be as follows...
  • Staff Forums (private node with view node 'allow' set for admins, management + moderators)
    • Admin Forums (private node with view node 'allow' set for admins)
    • Management Forum (private node with view node 'allow' set for admins + management)
    • All Staff (private node with view node 'allow' set for admins, management + moderators)
With the exception of 'view node' permissions set on each usergroup I presume I just leave all other settings to 'inherit'?

Does this sound right Jake or am I going about it the wrong way?

Also, if I check 'private node' but dont expressly set the 'view node' permission on a usergroup (ie... inherit) could they still view the node if they knew the URL?

Im sorry to act dumb but my biggest wish is to fully understand the permissions and I have to admit to being a little confused.

Thank you,

Rob
 
Looks good except:

With the exception of 'view node' permissions set on each usergroup I presume I just leave all other settings to 'inherit'?

For the forums you need to grant other relevant permissions too, like posting threads and such.

Also, if I check 'private node' but dont expressly set the 'view node' permission on a usergroup (ie... inherit) could they still view the node if they knew the URL?

No.
 
Actually... I tried this Jake. View node indeed lets them view the forum but they dont appear to be able to see threads even or post or anything.

I'm actually struggling a lot here. I have regular forums too with no permissions set at all... everything should inherit from usergroup permissions but I still cant post (even as admin).... the whole process is actually driving me around the twist.
 
Be sure to check all groups for the user.

If it still isn't working then I can take a look if you give me a URL and admin login.
 
No doubt the permission system can be confusing - I suppose in about a year I will get my head around it.

It would be great in some future version to have a button to turn on "simple mode" for permissions for the majority of forums that need only a few simple options - admin, users and mods......

One particularly confusing part is the long list of moderator options under all permission groups...even when you are working with a user group which needs no access to moderation tools. Perhaps the wording or a warning should be very clear about these mod radio buttons - it's pretty easy to accidentally give all your users the thread tools. My misunderstanding stems from thinking that these boxes apply to what moderators can DO to the usergroup or node in question, as opposed to that they affect what the entire usergroup can do to everyone else!

It may be powerful, but it would not pass the Steve Jobs "single button" test!
:)
Heck, it's more confusing than nix permission!
 
Thanks Jake, sometimes we need to tweak and play around for setting membership permission, and then see the results.
 
Yes, they both go to the same place because node permissions are on that same page.

KH-Flare Permissions 1.webp

Now click on Permissions on the node you want to change permissions on and you'll be redirected to this page:

KH-Flare Permissions 2.webp

Now click on a user group and adjust the permissions accordingly for them:

KH-Flare Permissions 3.webp
 
Hi @Jake Bunce
I'm writing because I'm out of ideas about why the permissions system is not working at my forum.
It used to work, but not sure when it stopped.
For example:
I register a new user with basic permissions.
At forum permissions I revoke the "Post new thread" option:
2016-05-27_1205.webp
However, with the new registered user I'm still able to post a new thread:
2016-05-27_1206.webp
The test user is only at Registered usergroup:
2016-05-27_1208.webp
Finally, when I analyze user permissions at the subforum, all looks correcto:
2016-05-27_1210.webp
Do you know why users without permissions can still post a new thread?
Where is the problem?
Thanks in advance!
 
Last edited:
Hi @Jake Bunce
I'm writing because I'm out of ideas about why the permissions system is not working at my forum.
I used to work, but not sure when it stopped.
For example:
I register a new user with basic permissions.
At forum permissions I revoke the "Post new thread" option:
View attachment 134975
However, with the new registered user I'm still able to post a new thread:
View attachment 134976
The test user is only at Registered usergroup:
View attachment 134977
Finally, when I analyze user permissions at the subforum, all looks correcto:
View attachment 134978
Do you know why users without permissions can still post a new thread?
Where is the problem?
Thanks in advance!

Hi, the analyse permissions value is always correct. If it shows No for a particular node, and the member in question can still create a thread in that node, then there is an add-on that either is over-riding that value, or is not checking the permission for that particular node (it's returning the group value, instead of the node value).

Also, even if the post new thread button shows, can the member actually post a new thread?

I have three accounts on my forum: the admin one, a moderator one, and a normal member one. I have the moderator and regular member one so I can test permissions, etc., with peace of mind. If you do not have a regular member one for yourself, I would suggest you create one, just for testing. It saves a lot of time for trouble-shooting quirks like this.
 
Hi, the analyse permissions value is always correct. If it shows No for a particular node, and the member in question can still create a thread in that node, then there is an add-on that either is over-riding that value, or is not checking the permission for that particular node (it's returning the group value, instead of the node value).

Also, even if the post new thread button shows, can the member actually post a new thread?

I have three accounts on my forum: the admin one, a moderator one, and a normal member one. I have the moderator and regular member one so I can test permissions, etc., with peace of mind. If you do not have a regular member one for yourself, I would suggest you create one, just for testing. It saves a lot of time for trouble-shooting quirks like this.
Thanks a lot @Lawrence for your reply.
Then, an addon is probably the cause. I'll try to check it one buy one.

The member can see the button and actually post a new thread.
Thanks for the accounts suggestion. I normally play just with one secondary account changing its usergroup, but it's much better your way.
 
Top Bottom