ALERT!
Click here to register with a few steps and explore all our cool stuff we have to offer!
Home
Upgrade
Credits
Help
Search
Awards
Achievements
 8649

Understanding Permissions

by Bi0S - 05-04-2017 - 03:01 AM
#1
Types of Permissions

Not Set (No)
Not explicitly set. Effectively a No if there is no Allow in other applicable permission sets. In the Node Permissions this is Inherit which means that permission is inherited from the higher level User Group Permissions and User Permissions.

Allow
This is like a Yes. The permission is granted.

Revoke
This is only used in the Node Permissions. A Revoke can be overridden by an explicit Allow but not an inherited Allow. Revoke is designed to reduce a user's Node Permissions in the absence of an explicit Allow. More on this later.

Never
This is an overriding No. The user won't have this permission even if there is an Allow elsewhere.


Permission Sets

There are different permission sets which come together to determine a user's overall permissions. These are the levels of permissions:

Admin CP -> Users

> User Group Permissions
> User Permissions
> Node Permissions


The User Group Permissions define the base permissions. Then the User Permissions are an optional set of permissions that can be defined for individual users. These two sets merge together to form the base permissions for a user.

Then you have the Node Permissions. These permissions are inherited from the previous two sets. In addition, node permissions of a parent node are inherited by child nodes. You can set node permissions per group and per user, and these two sets of permissions merge together to determine a user's final permissions per node.


Permission Math

Here is some permission math for the combinations that might not be obvious:

Not Set (No) + Not Set (No) = Overall No

Not Set (No) + Allow = Overall Yes

Not Set (No) + Never = Overall No

Inherited Allow + Revoke = Overall No

Allow + Revoke = Overall Yes

Allow + Never = Overall No

Pay special attention to the Revoke ones:

Inherited Allow + Revoke = Overall No

Allow + Revoke = Overall Yes

Only an explicit Allow (as opposed to an inherited Allow) can override a Revoke. A Revoke is designed to trump inherited access and reduce a user's permissions unless you explicitly Allow (no inheritance) that permission elsewhere in the Node Permissions (e.g. for one of the user's other groups).


Use Cases

Here are some notable use cases. I may add more later.

Creating a private forum

Because of the way Revoke works in xenForo you shouldn't use it to restrict a private forum. Instead you should use a special feature in xenForo called Private node. You will see the Private node checkbox when editing the permissions for a specific node. This basically inverts the permissions so that you can specify Allowed groups instead of Revoked groups. This is actually better for group management if you add more groups later.

Admin CP -> Users -> Node Permissions -> [click Permissions for a forum] -> Private node
Reply
#2
thanks for this very useful guide
Reply
#3
Thank you I was having trouble
Reply

Users browsing: 1 Guest(s)