The Forum Access Moderator role has broken our site's security policy. When I say say broken, I mean *BIG TIME* broken, involving law enforcement, lawyers and lawsuits.

Here's the problem. We have NO delete permissions assigned on our site. Delete is expressly forbidden to all roles except one.

The Forum Access Moderator role now grants delete permissions which override the master permissions set in /admin/user/permissions.

Also, making things significantly worse, all roles with moderators assigned through Forum Access now grant irrevocable delete privileges - they are grayed out and can't be revoked.

Anyone with moderator privileges in Forum Access can completely wreck the site, contrary to the master permissions. This is totally unacceptably. There MUST be a way to control the delete rights within the Forum Access Moderator role.

All we want to do is make a few forums hidden. We don't need (or want) the Forum Access Moderator role at all.

CommentFileSizeAuthor
Screen shot 2010-08-24 at 5.14.52 AM.png32.82 KBparticle
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

salvis’s picture

salvis
he/his
CreditAttribution: salvis commented
Category: bug » support
Priority: Critical » Normal

Forum Access Moderator role permissions are being automatically granted to other roles

What makes you think that? If you don't assign any moderators ("We don't need (or want) the Forum Access Moderator role at all.") that role is not used. In fact, you can delete it and it should not be recreated until you assign any moderator again. Actually, in your screenshot, I don't see the "Forum Access Moderators" role. Have you renamed it? Or are you referring to something else?

The Forum Access Moderator role now grants delete permissions which override the master permissions set in /admin/user/permissions.

The Forum Access Moderators role has always provided full access, as it says in the "Permissions information" and "Moderators" fieldsets: "Moderators receive all grants above." Also, granting "Delete" has always overridden the 'delete any forum topics' permission. But again, you don't have to add any user in the "Moderators" fieldset.

Also, making things significantly worse, all roles with moderators assigned through Forum Access now grant irrevocable delete privileges - they are grayed out and can't be revoked.

I'm confused, or rather you are. There's no such concept as 'roles with moderators assigned'. Please explain, name the role you refer to, and list the permissions that you have assigned to that role. Also, hover your mouse over the role and read the hint that pops up. Please post a screenshot with the pop-up hint.

(Resetting the flags, because so far I don't see anything that is not working as designed.)

particle’s picture

particle CreditAttribution: particle commented
Priority: Normal » Critical

But again, you don't have to add any user in the "Moderators" fieldset.

Complete nonsense. If there's no user assigned then there is no administration access to a hidden forum (the forum has no direct or "edit forum" link anymore). That's broken too (see http://drupal.org/node/892668 ).

If you don't assign any moderators ("We don't need (or want) the Forum Access Moderator role at all.") that role is not used. In fact, you can delete it and it should not be recreated until you assign any moderator again.

I deleted it. It automatically recreated itself. And that instantly creates all the problems above. So, tried it. Major fail.

There's no such concept as 'roles with moderators assigned'.

Seriously? You've never thought of the possibility of users with moderator privileges being assigned to other roles that also administer forums? We have moderator roles that existed long before the Forum Access Moderator role came along. For our purposes, we need to assign moderators to an entire site rather than to have to add them tediously, one by one, to each forum.

So back to the issue. We have a Global Moderator role, which does not have any administer (delete) permissions assigned, only editing and moving content - no deleting. Users in the Global Moderator role are also assigned as moderators via Forum Access to our hidden moderator forums because otherwise they have no moderator access to them to move in content (that OTHER problem). Every time the Forum Access module is enabled, the Global Moderator role gets additional delete privileges assigned, which are grayed out and non-revocable. The Global Moderator role has never been granted ANY delete privileges from the master privileges page and should not have them. Any permissions leak is a security problem. How do we turn the delete privileges from Forum Access off?

Also, there are no hints popping up here.

particle’s picture

particle CreditAttribution: particle commented
Category: support » bug
Priority: Critical » Major

I can't find any hint pop-ups. What theme and where?

salvis’s picture

salvis
he/his
CreditAttribution: salvis commented
Category: bug » support
Priority: Major » Normal
Status: Active » Postponed (maintainer needs more info)

I'm sorry, we're not communicating here. It seems that you are too agitated to approach this in a factual way.

Calm down and answer the questions I asked in #1, then we will proceed. Oh, and which of your roles would be the "Forum Access Moderator" role?

And please consider the following items:

a) I might know FA better than you do.

b) FA might not be designed to do exactly what you (and only you) think it ought to do.

c) I'm spending my free time here to try to help you. Time that I could put to more pleasant use otherwise. Either you change your tone completely, or you contact me through my contact form to get payment information and you send me $1000 up front to continue this discussion.

dillix’s picture

dillix CreditAttribution: dillix commented
Issue summary: View changes
Status: Postponed (maintainer needs more info) » Closed (outdated)