Note that users need...

  • the administer forums permission AND View to be able to administer forums (and change access!).

The administer forums permission used to be all-powerful, i.e. a user with that permission automatically had access to all forum content and was able to assign himself all grants in all forums. I found this unsatisfactory because I want to allow an assistant webmaster to administer forums in general, with the exception of some very private forums that he wasn't supposed to have access to.

Let's discuss this...

Comments

naheemsays’s picture

Personally I would like to not be able to see the contents in some forums but be able to change their moderators, access settings etc (for instance add myself to the view list if need be), so I think the person with administer forums permission shouldbe able to change such settings.

Frank Steiner’s picture

This will a big problem for upgrading when you used roles with "administer forums" which you didn't pass the view permissions (we actually set every permission to "off" automaticallty so that everything must be granted explicitely, important for us to avoid accidentally publishing research results to wrong research groups). So after upgrading no one but the drupal admin can do anything anymore because all the administer forum roles don't have view.

I also think that mixing the role permissions and forum permissions isn't that nice. I guess it would be better to have a "administer" field, i.e.
[ ] view
[ ] see
[ ] administer

And if "administer" is checked, the role can administer the forum, regardless of the drupal role permission "administer forums". Who gets this global permission should be able to adminster everything as before. This solution would be a conservative extension without removing possibilites that one hae before.

However, I don't know how much work this would mean to add another grant...

salvis’s picture

@nbz: The ability to hide the content of some forums from yourself may be a convenience, but it doesn't provide any access control, because if you can moderate a forum, you can take back all the grants whenever you want. The old FA did not let you to selectively allow administering some forums and not others. Anyone with the administer forums permission automatically had full access to all forums. This was an essential missing piece to control access to forum content, and I value it much higher than a convenience feature.

@Frank Steiner: It doesn't need to be the same role that has the 'administer forums' permission and the View grant, at least it's not supposed to be that way. Why would you want someone to administer a forum that they can't view? Or, from the other side, wouldn't you expect those who administer a forum to at least occasionally look inside? So why not explicitly give them access and preserve the ability to NOT give them access?

Wouldn't it be nice to let each research group administer their own forums? but ONLY their own forums?

[...] all the administer forum roles don't have view.

You give them the key, but they're not supposed to open the door and look inside? That's a very very weak strategy... Try to explain that to the members of a very private forum who think they're among themselves only...

Giving someone the ability to administer a forum that they can't view is a paradox. The fact that FA used to allow this was not a feature but rather a bug (well, a not-yet-implemented essential restriction).

I'd prefer not to add an additional grant type to avoid increasing FA's complexity, and I don't see how it would be easier for you to assign Administer grants where needed instead of View grants. Combining administer forums and View naturally results in reasonable access control to the administer page of each forum, without needing an additional grant type.

salvis’s picture

I see an alternative to combining administer forums and View: combining administer forums and Edit. In fact that was my first attempt: hide the FA controls unless the user has the Edit grant, and keep everything else the same as it was before.

But actually, following the Drupal way, I'd like to be able to remove inaccessible forums from sight. However, I'm afraid that hiding some forums might cause problems with the drag&drop reordering of the forums on the admin/content/forum page. So, at least the forum titles need to remain visible on that page.

In the end a straight-forward strategy seems the simplest: allow access to those who can view, and don't allow access to those who can't view (with the compromise mentioned above).

naheemsays’s picture

hm.. I am seeing something weird on my install which may be linked.

I have a couple of roles:

1. Admin role
2. Core cabal.

Since the upgrade to beta 3 - the admin role is unclickable and seems unclicked. the core cabal is clicked but is also not unclickable.

Finally, for the forum that I did not want to see, the core cabal has all boxes ticked in there, but that is not enough to see it - I also have a separate role which only allows its members to see and post in it and the people with that permission can see it.

Am I missing some piece of the picture? why is the admin role permanently unticked? why is the core cabal permanently ticked and still having no affect on viewing of the forum? Is that how its supposed to be?

salvis’s picture

@nbz: Try hovering your mouse over the role. That should give you an explanation.

Tell us what it says and whether it makes sense. Maybe the conditions are too broad...

Finally, for the forum that I did not want to see, the core cabal has all boxes ticked in there, but that is not enough to see it - I also have a separate role which only allows its members to see and post in it and the people with that permission can see it.

I don't quite understand what you're saying here.

The general idea is that a role with the administer nodes permission can see and do everything anyway, so it does not make sense to try to take away any grants from that role.

(Likewise, roles that don't have access content are permanently OFF.)

Frank Steiner’s picture

The point is that in the past I didn't have to give them the "view" permission so I didn't and no one did who created a new forum. Now for upgrading I have to go through all forums and set the permission explicitely, that's what I meant about the upgrading problem.

The other thing is that we do have certain roles who are allowed to control everything in forums. Now when someone adds a forum he must think of giving the view permission to all those other roles, because initially all view permissions are off for every role to be sure that none content is ever provided accidentally.

> Why would you want someone to administer a forum that they can't view?

My view is just the other way around: Why do I need to give "view" permissions explicitely if I allowed this role to administer everything? :-)

> The general idea is that a role with the administer nodes permission can see and do everything
> anyway, so it does not make sense to try to take away any grants from that role.

I see the "administer forums" permissions the same way. This role should be able to do everything with *forum* nodes, and we shouldn't take away grants for forums from this role. Since one doesn't expect this with the "administer node" permission one wouldn't expect it with the "administer forums" permission either (at least not me :-))

So I vote for a strict separation of "global" and "local" permissions: If you want a role to administer some forums, tick a "administer" permissions for these forums. But if someone has the global "administer forums" permissions, set the "administer" checkbox for every forum and grey it out, i.e. it can't be removed.
Thus, "global" permissions provide permissions for all forums. Without a global permissions, you need local per-forum permissions. I think that's more intuitive than "view means administer, if you have the global administer permission."

salvis’s picture

I understand your reasoning, but it would be the exception to the rule, not the other way around, as you present it.

Take access content: you need access content AND View to see nodes. Without View, nothing goes.

Take create forum topics: you need create forum topics AND View AND Post to be able to post.

Now when someone adds a forum he must think of giving the view permission to all those other roles, because initially all view permissions are off for every role to be sure that none content is ever provided accidentally.

If your main goal is to never provide content accidentally, then you should be in favor of not providing content to anyone who hasn't View access! Requiring to "think of giving the view permission to all those" who are allowed to have it is exactly what you want!

The problem is administer nodes — this is an all-powerful permission that's used by all sorts of modules to provide access to all nodes. It's just not realistic to try to override that. administer forums OTOH is not such a beast, it can be domesticated.

Oh, BTW, adding View to your administer forums roles in all existing forums is just a simple SQL statement and a permissions rebuild, if that's really your intention.

Frank Steiner’s picture

Ok, so within your module the logic is fine, it's just that I set "administer nodes" and "administer forums" to the same level of "overall permissions". But it's ok with me, I will get to handle it the way you do it :-)

salvis’s picture

Thanks! :-)

Just to provide some additional perspective, the following lines are from the core node_access() function:

  if (user_access('administer nodes', $account)) {
    return TRUE;
  }

  if (!user_access('access content', $account)) {
    return FALSE;
  }

After this, node_access() asks the module that defined the content type, and only if that module neither denies nor grants access does node_access() turn to the {node_access} table. Without any "node access" module there's a universal View grant in place. Install any "node access" module, and that universal View grant disappears and it takes a specific View grant to have access to a node.

This is from forum.module:

function forum_access($op, $node, $account) {
  switch ($op) {
    case 'create':
      return user_access('create forum topics', $account) ? TRUE : NULL;
    case 'update':
      return user_access('edit any forum topic', $account) || (user_access('edit own forum topics', $account) && ($account->uid == $node->uid)) ? TRUE : NULL;
    case 'delete':
      return user_access('delete any forum topic', $account) || (user_access('delete own forum topics', $account) && ($account->uid == $node->uid)) ? TRUE : NULL;
  }
}

There's no grant_create column in the {node_access} table, and node_access() will turn the 'create' NULL into a FALSE. That's why create forum topics is needed, and we can only restrict it by taking away forums, where the user doesn't have the Post grant.

With update/delete, if forum_access() returns TRUE, the user can do it. If it returns NULL, the {node_access} table is consulted, i.e. if the user has an Edit/Delete grant, he can do it.

IOW, View and Post are ANDed, Edit and Delete are ORed with their respective permissions, but they all require access content and View. All this is defined by the core "node access" mechanism, not by Forum Access.

Subjecting administer forums to View as well is consistent with the existing pattern. Not doing this in D5 was not a feature but a weakness.

salvis’s picture

Status: Active » Fixed

@nbz: Please reopen if your #5 is still pending...

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.