Jake Bunce
Well-known member
Types of Permissions
Not Set (No)
Not explicitly set. Effectively a No if there is no Allow in other applicable permission sets. In the Node Permissions this is Inherit which means that permission is inherited from the higher level User Group Permissions and User Permissions.
Allow
This is like a Yes. The permission is granted.
Revoke
This is only used in the Node Permissions. A Revoke can be overridden by an explicit Allow but not an inherited Allow. Revoke is designed to reduce a user's Node Permissions in the absence of an explicit Allow. More on this later.
Never
This is an overriding No. The user won't have this permission even if there is an Allow elsewhere.
Permission Sets
There are different permission sets which come together to determine a user's overall permissions. These are the levels of permissions:
Admin CP -> Users
> User Group Permissions
> User Permissions
> Node Permissions
The User Group Permissions define the base permissions. Then the User Permissions are an optional set of permissions that can be defined for individual users. These two sets merge together to form the base permissions for a user.
Then you have the Node Permissions. These permissions are inherited from the previous two sets. In addition, node permissions of a parent node are inherited by child nodes. You can set node permissions per group and per user, and these two sets of permissions merge together to determine a user's final permissions per node.
Permission Math
Here is some permission math for the combinations that might not be obvious:
Not Set (No) + Not Set (No) = Overall No
Not Set (No) + Allow = Overall Yes
Not Set (No) + Never = Overall No
Inherited Allow + Revoke = Overall No
Allow + Revoke = Overall Yes
Allow + Never = Overall No
Pay special attention to the Revoke ones:
Inherited Allow + Revoke = Overall No
Allow + Revoke = Overall Yes
Only an explicit Allow (as opposed to an inherited Allow) can override a Revoke. A Revoke is designed to trump inherited access and reduce a user's permissions unless you explicitly Allow (no inheritance) that permission elsewhere in the Node Permissions (e.g. for one of the user's other groups).
Use Cases
Here are some notable use cases. I may add more later.
Creating a private forum
Because of the way Revoke works in xenForo you shouldn't use it to restrict a private forum. Instead you should use a special feature in xenForo called Private node. You will see the Private node checkbox when editing the permissions for a specific node. This basically inverts the permissions so that you can specify Allowed groups instead of Revoked groups. This is actually better for group management if you add more groups later.
Admin CP -> Users -> Node Permissions -> [select a forum] -> Private node
Not Set (No)
Not explicitly set. Effectively a No if there is no Allow in other applicable permission sets. In the Node Permissions this is Inherit which means that permission is inherited from the higher level User Group Permissions and User Permissions.
Allow
This is like a Yes. The permission is granted.
Revoke
This is only used in the Node Permissions. A Revoke can be overridden by an explicit Allow but not an inherited Allow. Revoke is designed to reduce a user's Node Permissions in the absence of an explicit Allow. More on this later.
Never
This is an overriding No. The user won't have this permission even if there is an Allow elsewhere.
Permission Sets
There are different permission sets which come together to determine a user's overall permissions. These are the levels of permissions:
Admin CP -> Users
> User Group Permissions
> User Permissions
> Node Permissions
The User Group Permissions define the base permissions. Then the User Permissions are an optional set of permissions that can be defined for individual users. These two sets merge together to form the base permissions for a user.
Then you have the Node Permissions. These permissions are inherited from the previous two sets. In addition, node permissions of a parent node are inherited by child nodes. You can set node permissions per group and per user, and these two sets of permissions merge together to determine a user's final permissions per node.
Permission Math
Here is some permission math for the combinations that might not be obvious:
Not Set (No) + Not Set (No) = Overall No
Not Set (No) + Allow = Overall Yes
Not Set (No) + Never = Overall No
Inherited Allow + Revoke = Overall No
Allow + Revoke = Overall Yes
Allow + Never = Overall No
Pay special attention to the Revoke ones:
Inherited Allow + Revoke = Overall No
Allow + Revoke = Overall Yes
Only an explicit Allow (as opposed to an inherited Allow) can override a Revoke. A Revoke is designed to trump inherited access and reduce a user's permissions unless you explicitly Allow (no inheritance) that permission elsewhere in the Node Permissions (e.g. for one of the user's other groups).
Use Cases
Here are some notable use cases. I may add more later.
Creating a private forum
Because of the way Revoke works in xenForo you shouldn't use it to restrict a private forum. Instead you should use a special feature in xenForo called Private node. You will see the Private node checkbox when editing the permissions for a specific node. This basically inverts the permissions so that you can specify Allowed groups instead of Revoked groups. This is actually better for group management if you add more groups later.
Admin CP -> Users -> Node Permissions -> [select a forum] -> Private node