New permission "access forum listing"

I'm worried that this patch might cause confusion, and that it is somewhat misleading. People will expect their forum topics to be protected too. At the same time, I recognize that we need a permission like this. Maybe we should call it 'access forum listing' instead? It might be slightly better, yet far from optimal.

I personally would be more in favour of getting a full-fledged CRUD access system for forums ala forum access module, or else a consistent set of 'access FOO node type' permissions in core, since we already have CUD for those. :)

I posted this in WebChix critical features section, however, it seems relevant here as well.

I think that much finer grain permissions are very important.

Viewing:
Allow a user to see a list of forum groups.
Allow a user to see a list of forums within a group.
Allow a user to see the topic headings in a forum.
Allow a user to see a particular thread (this is optional but would be nice).
Allow access to specific items within a post or thread (e.g. poster user name, poster IP address, poster IP address country,
poster's online/offline status).

Posting/Reporting:
Allow a user to post a new topic.
Allow a user to post a reply to an existing topic.
Allow a user to include a picture in a post.
Allow a user to append a file to a post (may be the same as above).
Allow a user to include a link in post.
Allow a user to edit the topic in a post of his own.
Allow a user to edit his own post.
Allow a user to report a post.

Moderated posting:
All of the above options, but require that they be moderated before finally appearing.

Moderator/Administrator:
Allow a moderator to create a new forum group.
Allow a moderator to create a new forum.
Allow a moderator to create a new sub-forum.
Allow a moderator to merge threads.
Allow a moderator to move or delete threads.
Allow a moderator to edit/delete specific posts.
Allow a moderator to edit thread topics.
Allow a moderator to approve a submitted post.
Allow a moderator to approve an edited post.
Allow a moderator to approve a topic change.

Here is an example.

Forums:

Administration:
Hardware:
Network:
Software:
Security:

Home Theatre:
News:
Expert Help:
HD Projectors:
LCD:
DLP:
Topic: My new DLP projector rocks!
Member Deals:

Adult:
Reviews:
Discussions:

So for example:

Only system administrators can see a list of the Administration forum group.
All system administrators can view posts in Hardware, Software and Network Forums.
Hardware administrators can post in their own forum.
Only security administrators can view posts in their forum.

Only users over 18 can even see that the Adult forum group exists.
Only registered users that have specifically requested it, may be able to see posts in either the Adult: Reviews or Discussion forums.

Only moderators may post in Home Theatre: News:
Any one may create a topic in Home Theatre: Expert support: but only those in the expert group can post replies.

Anonymous users may read posts in the all Home Theatre forums except Home Theatre: Member Deals: where they can see topics only (none of the actual posts).

The others are, I hope self explanatory. :-)

/carmi

This still applies (with fuzz). However since this permission is empty by default, so when upgrading existing sites it could leave to some unexpected behaviour. Could do with an upgrade path to enable the permission by default.

Also I noticed if you remove "access content" from anonymous users, but leave "access forum listing" enabled- they can see the forum listing anyway - almost the reverse of what this patch was designed to prevent. Currently removing "access content" blocks the forum listing - so I think any upgrade path should ideally enable the forum listing only for roles which already have "access content", or there should be some kind of dependency between the two permissions.

This seems like a sensible usability fix, so maybe could be snuck into D6 if the upgrade path isn't too hard (although it's beyond me).

I think most people expect this kind of functionality to be available automatically when they install a forum. This would increase the "Drupal core satisfaction rate".

+1

OK this patch re-rolls against head, and adds "view forum listing" as a default permission in system.install to keep current behaviour for anonymous and authenticated users without any extra configuration.

Leaving as CNW for an upgrade path, I'm hoping to have this a bit later on today.

ack here's one with unix line endings.

OK got to this quicker than I thought. Untested as yet, but could do with reviews on the system update which is the only bit likely to be controversial I think.

What this should mean is that for both new and upgraded drupal installs, there's absolutely no change from current behaviour, but admins can then change the permission if they want to. This will save lots of "where's my forum gone" support requests I think.

The cloned code for system_update_6035() still uses $renamed_permission variable name, which is not the case, and should be changed to something more fitting IMO. Perhaps $updated_permission or the like?

I have to agree with Dries that this will cause confusion. What most people want (i think) is private forums, and this doesn't do that. Anons will get these nodes in search results and so on.

In Drupal6, it is trivially easy to use hook_menu_alter() to change the access callback for these pages. I suggest that a Contrib module do that, and leave this out of core.

JirkaRybka, good point. Given Moshe's comments I'll leave this for discussion rather than re-roll though. If consensus is to not have this in, then we should put "forum access in core" as the title and set to active for D7 imo.

Two months later what catch proposed is all we can do: bump it to D7...

unassigning myself - we should see how node_access runs in D7 and work on forum_access (either the module itself or at least the concept) in core instead.

Hello,
i see that i've duplicated this here ( http://drupal.org/node/298510 ). Please consider this:

--- modules/node/node.module.old 2008-08-22 13:35:47.000000000 +0200
+++ modules/node/node.module 2008-08-22 13:36:51.000000000 +0200
@@ -2754,6 +2754,10 @@ function node_access($op, $node = NULL)
return FALSE;
}

+ if ($op == 'view' && $node->type == 'forum' && !user_access('access forum listing')) {
+ return FALSE;
+ }
+
if (user_access('administer nodes')) {
return TRUE;
}

Without this, anyone can view forum topics simply by guessing node/xxx number.

@ lordzik : your patch in #298510: Forum access privilege no longer applies.

Cleaning up the issue queue.

I agree with Moshe and Dries, et al. This new permission only makes sense if bundled with actual forum access controls, and that won't happen in D7.

Bumping to 8.x.

Just curious if there are any further plans for forum access controls in Drupal 8?

I am building an R&D site for the Snowman initiative and my site needs forums to be private, but I can't do this in core, so subscribing :)

tagging

This looks like it duplicates #878530: Permission for Forum access, assign access based on role.

I've submitted a patch for the latter issue.

#27: 8-132211--form-listing-permission.diff queued for re-testing.

Forum is approved for removal. See #1898812: [policy] Deprecate forum module for removal in Drupal 11

This is now Postponed. The status is set according to two policies. The Remove a core extension and move it to a contributed project and the Extensions approved for removal policies.

It will be moved to the contributed extension once the Drupal 11 branch is open.