Understanding Permissions

[Jake Bunce]

By my reckoning, anyone who is already in the Registered user group who is then added to the Premium Member user group (via an account upgrade) as a Secondary user group, will still retain the ability to upload an avatar due to the inherited "Allow", but the maximum size will be increased to 75KB.

Yes.

For numeric permissions the higher number is used. Or rather the more liberal of the two values is used. I just tested and confirmed this. For example:

1000 + 30000 = 30000
1000 + unlimited = unlimited

So for any additional (secondary) user groups, everything can remain on "Default" except for the specific permissions which differ from the primary group.

Correct.

Indeed - what is the rule for numeric "permissions" ? Does a larger value always override a smaller one (as this may not always be whats required).

Note that there is also a Default value for numeric permissions.

 

[Paul B]

Thanks Jake.

I still haven't looked into the node permissions in any detail but presumably, if a member in the Registered User group has "Post new thread" set to "Allow", if you want to remove that permission for a specific node then you need to set it to "Deny" as "Revoke" will be overridden by the "Allow"?

Currently I can't see a use for Revoke if it only works for inherited permissions as trying to remember which permission is inherited and which is allowed explicitly won't be easy.

 

[Jake Bunce]

I still haven't looked into the node permissions in any detail but presumably, if a member in the Registered User group has "Post new thread" set to "Allow", if you want to remove that permission for a specific node then you need to set it to "Deny" as "Revoke" will be overridden by the "Allow"?

Either one will work. But Revoke would be more appropriate. A Revoke in the Node Permissions will override the inherited Allow.

Revoke was not intuitive for me. I think of it as a subtractive No permission. It is designed to allow you to reduce a users permissions. Revoke is only available in the Node Permissions where inheritance is in play. Revoke trumps inherited permissions. Only another explicit Allow in the Node Permissions can override a Revoke.

Currently I can't see a use for Revoke if it only works for inherited permissions as trying to remember which permission is inherited and which is allowed explicitly won't be easy.

Yeah, it's only used for permission reduction. For example, if have some users from whom you want to take away permissions in certain forums, then you can create a new group, Revoke the appropriate permissions, and add those users to that group.

 

[Paul B]

Either one will work. But Revoke would be more appropriate. A Revoke in the Node Permissions will override the inherited Allow.

Isn't the Allow explicit though as it is set in the user group?

Or does it become inherited as it relates to a node?

I'm still at the "struggling to fully understand the node permissions" stage

 

[Jake Bunce]

Node permissions are all inherited by default. You can explicitly set permissions for Nodes. Otherwise they will inherit from the group permissions.

 

[Peggy]

Isn't the Allow explicit though as it is set in the user group?

Or does it become inherited as it relates to a node?

I'm still at the "struggling to fully understand the node permissions" stage

You're not alone.

 

[Paul B]

Node permissions are all inherited by default. You can explicitly set permissions for Nodes. Otherwise they will inherit from the group permissions.

Gotcha!
I suspected as much so thanks for confirming.

I suspect it's going to take me some time to set up all the various user groups and node permissions so I'd better get started...

 

[Paul B]

For banned users, you need to have "General Permissions: View" set to Default to enable the ban message to be shown, otherwise just an error message is displayed.

For registered member only nodes, don't forget to revoke the view permissions for guests/unregistered.

Personally I have my Moderating and Administrative groups set to the same defaults as Registered Users. That way I can assign permissions per user.
It just depends how you want to set things up; whether all moderators have the same basic permissions and then revoke them per node (or globally) or give them no permissions and then add them per node (or globally).
With my system I know that my moderators won't have any permissions unless I explicitly grant them.

Regarding Private Nodes, if you set the Category (or node) as private then all child nodes under it also become private.

 

[Floris]

Jake, if this works on b3, perhaps get a mod to change the title? It kinda implies it's only valid for b1?

 

[Jake Bunce]

Jake, if this works on b3, perhaps get a mod to change the title? It kinda implies it's only valid for b1?

Good idea.

Can a mod change the title for me?

 

[Paul B]

Can a mod change the title for me?

Done
Let me know if you wanted something else Jake.

 

[Member 3639]

Is there a way to have people able to make new threads but they go in a mod que - but only for specific forums like a news forum for example?

 

[Paul B]

The message moderation permission can only currently be applied to a user group, not a node.

 

[HoddzDJ]

I can't get my head around these permissions, still!! I have an announcements forum in the main category. Everything is on inherit, but I want it so only Admins and Mods can post a new thread, but everyone can post replies etc as normal.

So I set the DENY permission on 'Post New Thread' for Registered and Unregistered / Unconfirmed group, and then go into the Admin and Mod user groups and put ALLOW for Post New Thread. Yet, I am logged in as the main user (account number 1) and I can't post a new topic!! Any ideas?!

 

[Paul B]

A Deny overrides every other permission so should be used sparingly.

Use Default which is the same as no.
Then Allow to override the Default.

Or alternatively, use Allow and then Revoke to remove it.

I have nodes with the same permissions on my forum so the normal Registered user group has "Post New Thread" set to Allow.


Then on that specific node, in the node permissions I have set "Post New Thread" to Revoke.

 

[HoddzDJ]

So I don't deny, I just revoke them for the Registered / Unconfirmed / Unregistered groups and then Inherit for the Admins and Mods?

 

[Paul B]

So I don't deny, I just revoke them for the Registered / Unconfirmed / Unregistered groups and then Inherit for the Admins and Mods?

When setting node permissions, you only need to do it for those groups/users for which the permissions differ from their normal permissions.

So if Admins and Mods can normally post then there is no need to set any node permissions for those groups.
Just set the Registered users to Revoke.

Presumably the Unconfirmed / Unregistered group already has "Post new thread" set to default so the inherit on that will be the same and hence no need to set the node permissions.

 

[HoddzDJ]

When setting node permissions, you only need to do it for those groups/users for which the permissions differ from their normal permissions.

So if Admins and Mods can normally post then there is no need to set any node permissions for those groups.
Just set the Registered users to Revoke.

Gotcya!! Finally managed to get my head around it now then!! At least I understood it before the final, stable release =]!!

 

[Paul B]

Gotcya!! Finally managed to get my head around it now then!! At least I understood it before the final, stable release =]!!

Once it clicks it all becomes clear.
It really is a brilliantly simple system.

 

[HoddzDJ]

Yeah, I think what threw me was seeing terms like 'node' and everything else, when being used to other terms etc. But like you say, once you've got it then the penny drops and you feel like a lemon!!