Permissions review / overview

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
NeedToKnow
Registered User
Posts: 38
Joined: Fri Jul 26, 2019 7:05 am

Permissions review / overview

Post by NeedToKnow » Wed Aug 14, 2019 4:34 am

I've read all of the following at least once, some more than once.

Quick Start Guide Administration Guide Knowledge base

I'd like to confirm I'm understanding permissions correctly so I have this down pat in order to head off any issues that might arise.

Ideally, there are four steps.

1. Create / Define / Establish roles

Precedence = never > yes > no

2. Assign groups to roles

This provides default permission

3. Assign users to groups

This ties users to a group's role.

4. Assign/remove groups to/from forums

This defines who can or cannot see a forum and what they can do there, with the caveat that precedence wins out in the case of members belonging to multiple groups.

Moderators are just a group with an additional layer of permissions that operate similarly to above that are then granted to trusted members.

So the question is: is my understanding correct? If yes, then it would be very rare that anybody would need individual permissions tailored to their circumstance.

Two more questions. Is there an easy way to check whether or not anybody has individual permissions anywhere on the forum? And if it is discovered they do, how can a user's permission be reset to a default level? For example, reset them to 'Registered users' under the 'Standard features' role.

Thanks in advance for your time and insights.
Last edited by NeedToKnow on Wed Aug 14, 2019 8:35 am, edited 1 time in total.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66566
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Permissions review / overview

Post by Lumpy Burgertushie » Wed Aug 14, 2019 4:45 am

unless you or another admin purposefully sets user permissions for a user they should never change.

It is not suggested to use user permissions since it can cause the types of problems you mention.

just stick to group and forum and group forum permissions and you will be fine.

if you want someone to have a different set of permissions, create a group, give that group those permissions or remove those permissions etc. and put the members you wish, in that group and poof, they have or don't have that set of permissions.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
warmweer
Registered User
Posts: 2657
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Permissions review / overview

Post by warmweer » Wed Aug 14, 2019 7:04 am

NeedToKnow wrote:
Wed Aug 14, 2019 4:34 am
I've read all of the following at least once, some more than once.
That must have been quite a read.
Have you started on the 3.2 documents yet? :P
NeedToKnow wrote:
Wed Aug 14, 2019 4:34 am

Ideally, there are four steps.

1. Create / Define / Establish roles

Precedence = never > yes < no
I think you do understand the system but using > and < here can cause confusion because a YES has precedence over a NO and one would thus expect to see yes > no.
Exceptions: A YES for a Global Moderator overrides a NEVER, and (I think) founder permissions (basically all YES) override any restricting group permissions.
NeedToKnow wrote:
Wed Aug 14, 2019 4:34 am
So the question is: is my understanding correct? If yes, then it would be very rare that anybody would need individual permissions tailored to their circumstance.
There are situations where individual permissions are useful: for quick and dirty testing, giving a user temporary extra permissions, or removing single permissions (with a NEVER for a user), etc...
I wouldn't call it rare, just not that common.
NeedToKnow wrote:
Wed Aug 14, 2019 4:34 am
Two more questions. Is there an easy way to check whether or not anybody has individual permissions anywhere on the forum? And if it is discovered they do, how can a user's permission be reset to a default level? For example, reset them to 'Registered users' under the 'Standard features' role.
Usually I try to leave the default roles and groups' permissions unaltered, creating a new role and a new group when I need a new permissiontotal.
Restoring a user's permission to the initial state is then just a matter of removing that user from the non-original groups.
My board's not broken, it just went peculiar

User avatar
canonknipser
Registered User
Posts: 2063
Joined: Thu Sep 08, 2011 4:16 am
Location: Germany
Name: Frank Jakobs
Contact:

Re: Permissions review / overview

Post by canonknipser » Wed Aug 14, 2019 7:21 am

warmweer wrote:
Wed Aug 14, 2019 7:04 am
Exceptions: A YES for a Global Moderator overrides a NEVER,
(AFAIK) A NEVER is NEVER overridden, so if a member of the global moderators group has a NEVER permission, this will count
Eg. you can exclude your moderators from entering a private administrators forum on your board by giving a NEVER to the global moderators group (be sure, your administrators are not in the global moderators group in that case) or, as I did, remove the permission to permanently delete a post, so even global moderators can only soft delete posts.

"Global Moderator" is just a group in phpBB, which is part of the basic installation to make life easier for board owners.
warmweer wrote:
Wed Aug 14, 2019 7:04 am
founder permissions (basically all YES) override any restricting group permissions.
AFAIK It's only true for administrative permissions, not for user, forum and moderator permissions. And it may be not true for permission checks in extensions if the extension author does not explicitly check for founder status, but only for a administrative permission.
Greetings, Frank
phpbb.de support team member
English is not my native language - no support via PM or mail
New arrival - Extensions and scripts for phpBB

User avatar
warmweer
Registered User
Posts: 2657
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Permissions review / overview

Post by warmweer » Wed Aug 14, 2019 7:56 am

Yeah, I was too hasty and thus unclear and because of that even incorrect (what I wrote).

What I meant is that If a Global Moderator has a YES for a (in global moderator setting) action, but a NEVER for that same action through a group or individual permission, then the (Global Moderator) YES will override the (individual or group) Never.

Found the official info https://www.phpbb.com/support/docs/en/3 ... ions_mask/

Note

In this example you see how a Global Moderation Yes overrides a Forum Moderation Never. This is one exception to the rule about Nevers overriding Yeses. The other exception is Founders. If a user is marked as a Founder on their User Administration Overview page, they will be granted All of the Global Administrator permissions, overriding any No or Never settings given to that user or his user groups.
My board's not broken, it just went peculiar

NeedToKnow
Registered User
Posts: 38
Joined: Fri Jul 26, 2019 7:05 am

Re: Permissions review / overview

Post by NeedToKnow » Wed Aug 14, 2019 8:56 am

warmweer wrote:
Wed Aug 14, 2019 7:04 am
Have you started on the 3.2 documents yet?
That would be right. I wondered why some docs were more text based while others looked like my setup. Well, things like this are why I ask questions. Thanks for the heads up.


warmweer wrote:
Wed Aug 14, 2019 7:04 am
... using > and < here can cause confusion...
Good catch. I've corrected it above to avoid said confusion. Although given what follows, maybe we should write it like...

Precedence = never >~< yes > no


warmweer wrote:
Wed Aug 14, 2019 7:04 am
Usually I try to leave the default roles and groups' permissions unaltered
As will I. I recognize the value of what you're saying, but as you can see from my typos and misreading of 3.0 for 3.2 you might understand how accidents can happen. I don't mind running an SQL query to pick up anomolies but I wouldn't mind knowing what I'm supposed to be looking for. I just haven't gotten that far along using 3.2 yet.


warmweer wrote:
Wed Aug 14, 2019 7:56 am
canonknipser wrote:
Wed Aug 14, 2019 7:21 am
warmweer wrote:
Wed Aug 14, 2019 7:04 am
Exceptions: A YES for a Global Moderator overrides a NEVER,
(AFAIK) A NEVER is NEVER overridden, so if a member of the global moderators group has a NEVER permission, this will count
Yeah, I was too hasty and thus unclear and because of that even incorrect (what I wrote). What I meant is...
Perfect! These are just the sorts of things I need2know. Thank you very muchly.

User avatar
warmweer
Registered User
Posts: 2657
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Permissions review / overview

Post by warmweer » Wed Aug 14, 2019 9:23 am

NeedToKnow wrote:
Wed Aug 14, 2019 8:56 am
Perfect! These are just the sorts of things I need2know. Thank you very muchly.
Perhaps already superfluous but I'll mention it anyway.
When setting permissions for various groups (and forums) the best way to get an oversight is to use the permission mask for a username. That will show the permission settings (for an action) for a username (in the selected forum) and shows how the resulting total permission is achieved.
If you get into a situation where a user can do something (or not do something) contrary to expectation, use the permission mask and behold: the lights will be turned on ;) .
My board's not broken, it just went peculiar

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69295
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Permissions review / overview

Post by KevC » Wed Aug 14, 2019 9:32 am

Also, keep it simple. It's very easy to get lost in permissions. Only set them for groups, it's much easier to keep track of things that way. If they're in that group, that's what they can do.

Set your basic access permissions for the registered users group. Everyone is in that group.

If you want someone to be an admin, put them in the admin group. If you want them to mod, put them in the global mods group. That's about it unless you want to make things more complicated.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

NeedToKnow
Registered User
Posts: 38
Joined: Fri Jul 26, 2019 7:05 am

Re: Permissions review / overview

Post by NeedToKnow » Wed Aug 14, 2019 10:51 am

warmweer,

Actually, I used the mask to test out a recent situation. I had set the forum to allow registered members to use the email feature but the email link didn't show up in user profiles. The mask said it should have been fine, but still no link. It took a while but eventually I realized the target user(s) had contact-by-email turned off in preferences. So, I suppose, in a way, there is yet another layer of permissions to take into account.


Kev,

It's taken me a while to grasp the whole permission concept. It seems more complex than it actually is. But at this stage of things, I'm liking what I'm seeing. It's a decent system that should serve well. And to be sure, I'm not afraid of rocket science if I happen to be launching rockets, but when it comes to managing the forum I agree simple is easier and more often than not it's more effective.

Thanks again.

User avatar
warmweer
Registered User
Posts: 2657
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Permissions review / overview

Post by warmweer » Wed Aug 14, 2019 11:09 am

NeedToKnow wrote:
Wed Aug 14, 2019 10:51 am
Actually, I used the mask to test out a recent situation. I had set the forum to allow registered members to use the email feature but the email link didn't show up in user profiles. The mask said it should have been fine, but still no link. It took a while but eventually I realized the target user(s) had contact-by-email turned off in preferences. So, I suppose, in a way, there is yet another layer of permissions to take into account.
The mask probably shows that the user has the permission to use the email feature. But since he chose to not allow other users to mail him, his emailaddress won't be visible. You as admin however should be able to see his emailadress in his registration settings (but probably not in his profile).
My board's not broken, it just went peculiar

NeedToKnow
Registered User
Posts: 38
Joined: Fri Jul 26, 2019 7:05 am

Re: Permissions review / overview

Post by NeedToKnow » Wed Aug 14, 2019 2:20 pm

Yes, as admin, I can see and use email for all members. And from the profile too. Interestingly, and quite correctly, if a group is disallowed private messages then the PM link does not display in the profile. Doesn't matter if I'm admin. No point sending a message if they are not allowed to read or respond.

User avatar
warmweer
Registered User
Posts: 2657
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Belt ... well actually Belgium

Re: Permissions review / overview

Post by warmweer » Wed Aug 14, 2019 4:49 pm

NeedToKnow wrote:
Wed Aug 14, 2019 2:20 pm
Yes, as admin, I can see and use email for all members. And from the profile too. Interestingly, and quite correctly, if a group is disallowed private messages then the PM link does not display in the profile. Doesn't matter if I'm admin. No point sending a message if they are not allowed to read or respond.
Actually as admin you can always send a PM to any user, even if that user has chosen not to allow PMs. The admin is after all The Boss!!
What I can´t remember now is whether there is a permission regarding "can use the PM system". If there is then perhaps even reading a PM sent by the admin would be impossible (but I doubt it).
My board's not broken, it just went peculiar

NeedToKnow
Registered User
Posts: 38
Joined: Fri Jul 26, 2019 7:05 am

Re: Permissions review / overview

Post by NeedToKnow » Thu Aug 15, 2019 2:10 am

warmweer wrote:
Wed Aug 14, 2019 4:49 pm
What I can´t remember now is whether there is a permission regarding "can use the PM system". If there is then perhaps even reading a PM sent by the admin would be impossible.
ACP > Permissions > User Roles > Pick-a-role > Settings > Private messages > The two very last lines

-- Can read private messages
-- Can send private messages

If they are set to 'no' or 'never', even an admin can't send a PM. Email, yes; but not a PM.


It's a very sophisticated, and complex, system with a lot of moving parts. But I think I understand the rationale behind most of it, at least I hope I do, and it seems sound reasoning.

I think my wish list would include the ability to 'unassign' a role from a user, group, or forum. If a role is assigned unintentionally or experimentally, I can find no way to remove it. Change it, yes; remove it entirely, no.

A second wish might be to develop more intuitive navigation; something to remove confusion, and even conflict. For example, if groups are assigned user roles, do we really need forum roles too. Isn't access to a forum permission enough on that level?

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69295
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Permissions review / overview

Post by KevC » Thu Aug 15, 2019 7:54 am

NeedToKnow wrote:
Thu Aug 15, 2019 2:10 am
I think my wish list would include the ability to 'unassign' a role from a user, group, or forum. If a role is assigned unintentionally or experimentally, I can find no way to remove it. Change it, yes; remove it entirely, no.
A permission of no or never is still a permission though. You can't have 'no' permissions for anything.
NeedToKnow wrote:
Thu Aug 15, 2019 2:10 am
A second wish might be to develop more intuitive navigation; something to remove confusion, and even conflict. For example, if groups are assigned user roles, do we really need forum roles too. Isn't access to a forum permission enough on that level?
The developers probably can't win on that one. phpBB2 used to have super simple permissions. You could see things or you couldn't (essentially). Then a lot of people complained that it wasn't adjustable enough so in phpBB3 they made it a lot more granular so you could do pretty much anything for any person or group. Some say now it's too complicated.... and they might be right, but finding the middle ground is difficult. I tend to think of it now as being as easy or complicated as you want to make it. I keep it super simple and set everything on groups so if someone is in a group, that's what they can do. The end.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

User avatar
Brf
Support Team Member
Support Team Member
Posts: 51826
Joined: Tue May 10, 2005 7:47 pm
Location: {postrow.POSTER_FROM}
Contact:

Re: Permissions review / overview

Post by Brf » Thu Aug 15, 2019 4:52 pm

warmweer wrote:
Wed Aug 14, 2019 7:56 am
Global Moderation Yes overrides a Forum Moderation Never. This is one exception to the rule about Nevers overriding Yeses. The other exception is Founders. If a user is marked as a Founder on their User Administration Overview page, they will be granted All of the Global Administrator permissions, overriding any No or Never settings given to that user or his user groups.[/b]
These two are correct.

One other type is "Can download" and "Can Upload".
A user needs "Yes" permissions in both Global User permissions and Forum permissions, so essentially a "No" in either overrides the "Yes" in the other.
NeedToKnow wrote:
Thu Aug 15, 2019 2:10 am
I think my wish list would include the ability to 'unassign' a role from a user, group, or forum. If a role is assigned unintentionally or experimentally, I can find no way to remove it. Change it, yes; remove it entirely, no.
You either assign a different role to that user or group, or go into Advanced and set separate permissions. You can also assign "All No", which "resets" that permission set to "default", which is the same as "Not Set"

Post Reply

Return to “phpBB Discussion”