We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Oxwall Permission Bug | Forum

dave Leader
dave Jan 14 '18
I may have reported this before but i cant seem to find it so ill post it again now that i have further details. 


Here is the situation, it involves roles that depend on two different permissions such as moderator.  Oxwall still ties standard (free) permissions to those that have other roles as well. 


So this means that a moderator is still tied to standard permisions.  In my test i discovered the following. 


Standard permissions VRS Mod permission


 both off = mod or standard not auth  -  correct


Here lies the issue:

standard ON and Mod OFF =  mod is still auth because standard is on and they are tied to standard  - here is where oxwall goofed - they didnt set up the process to check this situation - wrong


standard OFF and Mod ON =  mod is still auth because mod is checked which counters the unchecked of standard - correct


Thanks 

Dave :)



dave Leader
dave Jan 14 '18
I came up with a solution...    i have created a new plugin admin config called modbypass, if you set it to on (checked) it will bypass the permission and NOT let them view the DL links unless they are the owner of the content.  So this way admin can decide how to handle it themselves. 


This only applies in the case where standard is checked and permission 2 (example mod) is not checked. Everything else will work fine.  


Sadly this does not distinguish between mod1 and mod2, they will all be treated the same.  


Devs you need to think about creating this process as well because right now your permissions are not working correcty. 

The Forum post is edited by dave Jan 14 '18
Jozko
Jozko Jan 14 '18
Hi Dave,

What do you think about this bug ... see my post

tnx

dave Leader
dave May 22 '19
Now that i have run into this bug again i wanted to repost a reply here to better explain the bug with a picture.   



















Oxwall Germany Club
Oxwall Germany May 22 '19
This is not a bug. The permission system checks if ONE of the checked roles are given to the user. If yes, then the user is able to access the content or take action. If you don't want that free users are able to access the content, then you need to uncheck the field. As result, only users with the assigned role are able to access the content. You can combine user roles and account types by assigning a user role to every account type on profile questions page.
The Forum post is edited by Oxwall Germany May 22 '19
dave Leader
dave May 22 '19
Thanks for the reply OG, i understand what you are saying but im still having a difficult time wrapping my brain around it.  


My thinking of this is when a user is assigned any role at all they are no longer free role.  I do not think of free user as litterally free but just a lower role name. 


So in my mind, if someone is a tester role per say, they are no longer associated with the free role.


Is that the wrong way to look at this?



The Forum post is edited by dave May 22 '19
Patricia Zorrilla Leader
Patricia Zorrilla May 22 '19

It is an error because, for example, if you want to put a simple text widget so that only the free ones with instructions to ascend can see it, those who are no longer free will continue to see it.


It is an error is that a user can have several roles. instead of checkbox it would have to be a radiobutton, and be able to remove them from Free.

dave Leader
dave May 22 '19
I see roles the same as a club, they can only be part of one club not two.  So once you assign them a new role then they should no longer be a part of the old role (free). 


And if you take their permission away in the new role then they no longer have that permision regardless of if their old role (free) is checked.  

The Forum post is edited by dave May 22 '19
Patricia Zorrilla Leader
Patricia Zorrilla May 22 '19
Exact. It does not make any sense or utility for a member to have several roles 
Oxwall Germany Club
Oxwall Germany May 23 '19

Quote from dave 

My thinking of this is when a user is assigned any role at all they are no longer free role.

This is not right. A user always has the default role (on many sites this is the free role). To assign more rights to the user you need to assign another role to him. Then, the user is able to take actions he was not able before.
The Forum post is edited by Oxwall Germany May 23 '19
dave Leader
dave May 23 '19
ok OG much appreciate the reply and info.  It is unfortunate that it is set up that way but it is what it is. 


It just makes it challenging in some cases where you want to remove or add permissions apart from free permissions.  Having free permissions as a base permission makes a big difference in how things work are are developed for. 


I have never tested this before but i wonder what would happen if the free role was deleted so noone had it.  


The Forum post is edited by dave May 23 '19
Patricia Zorrilla Leader
Patricia Zorrilla May 23 '19

Dave, I have made a modification that allows me to remove the role of free, so I can edit it like the others.

It is useful for me to put widgets just for them, with the welcome and the instructions to "ascend", and so I can also with different plugins limit the activity. There are those who enter with much impatience and have to calm them down a little.

It works, there are no problems with any plugin or anything.

What I do not have is any member WITHOUT a role or with several. Everyone his, the one he puts on his label.

Another thing ... the "interfaces" with ArrowChat and CometChat do not work well if a user has several roles, and surely more than one plugin does not manage it well either.

I do not understand Oxwall Germany's explanation, I do not know if it's because of Google translations. Maybe if I explained an example or it tells me how I can put a widget only visible for free.


dave Leader
dave May 23 '19
Pat, OG just confirmed that a member always has free permission rights regardless what other roles they have.  Free is like a base role permission and everything else is on top of that.   So basically the only way to take all permission away from someone is to remove the checkbox from both their current role and also the free role. 


Does that make better sense :)     Its just as the image i posted describes.