Regular Members can delete their messages, even if disabled in permissions

Started by Dwev, March 10, 2018, 03:57:42 PM

Previous topic - Next topic

Dwev

I recently noticed something strange: under the Permissions of the Regular Members the setting is Delete posts is off for both Own post and Any post.

But somehow Regular Members are stil able to delete their own posts, so against the settings in the Permissions.

Am I missing something, is there something that I don't understand, or what else is happening here?

For the rest everything is working as it should, and the forum is up-to-date (version 2.0.15).

Illori

have you enabled permissions for post count groups? if so check the permissions that are granted there.

Dwev

No, there are no post count groups (as far as I know).

The existing groups are the standard ones: Guests, Regular Members, Administrator, Global Moderator and Moderator.

Illori

post count groups always exist, so please check for the permissions on them.

a10

2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Illori

need to enable reports under core features first, dont forget to click the save button.

Aleksi "Lex" Kilpinen

Just go to the user's profile, then navigate to Profile Info -> Show permissions.

You can see all the user's permissions and access there, on a more individual level than any of the built in reports provide.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Dwev

I keep learning more every day about SMF.

Didn't realise that I had Post Count Groups on my forum, now I do (in Members > Membergroups > Edit Membergroups).

And yes, I can change the permissions to those of Regular Members, and the problem is solved.
And thanks Aleksi, that's indeed very handy to look up the Permissions.

One more question though, if I want to give some Post Count Group more Permissions somewhere in the future, where do I do that?

Illori

in the admin panel on the same page you set permissions for the non post count groups given you have enabled permissions for post count groups.

Dwev

@ a10 and Illori: thanks, Board Permissions Reports are now active as well, very handy.

Strangely enough it now works on the desktop (so normal users can't delete their messages anymore), but on mobile it hasn't changed.

Guess it's in the cookie? Though logging out and in again didn't have any effect.

Aleksi "Lex" Kilpinen

Permissions should not be stored like that, but any changes to them should come in effect immediately.
You may try emptying the SMF file cache, but I'd be looking for other explanations myself too.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Dwev

@ Aleksi: I think I found what was happening here: for testing I was going back yo older messages.

It looks like these were written with the older Permissions, so these can still be removed by Regular Members.

But new posts made by Regular Members can't be deleted by them, so all looks good.

Aleksi "Lex" Kilpinen

Even that sounds odd but could prrhaps be explained by caching. In time those should then also respect the new permissions.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

GigaWatt

Had a similar problem (some things applied retroactively, some things didn't), tried various combinations of settings, so I can't be absolutely sure which setting I tried triggered the right behavior (to apply some setting retroactively, currently and in the future, for future members and existing members), but I'm pretty sure this triggered the right behavior. Can't hurt to try ;).

Admin --> Configuration --> Themes and layout --> Member options

On your active theme, click on Change current options for all members using this theme, change some setting (change Don't change to Change and change it), click Save, afterwards, click on Configure guest and new user options for this theme, change the same setting you changed in Change current options for all members using this theme, click Save. Again, click on Change current options for all members using this theme and undo the changes you made before, do the same in Configure guest and new user options for this theme and for the last time, click on Change current options for all members using this theme, change something, click Save, change it back, click Save again.

I think this was what triggered the right behavior for current and future users, as well as current users being able to do something with their previously posted posts that I prohibited from doing.

Try it ;).
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Shambles

Quote from: GigaWatt on March 11, 2018, 09:01:08 AM
Had a similar problem ...

I don't think your 'similar problem' would have been permissions-related.

GigaWatt

Yeah it was. I was trying to add new permissions to moderators for certain boards and the funny thing was that it applied on the default (Curve) theme, but not on the one I was using (I'm using a single theme, members can't choose themes). I think the step I described above, fixed it. As I stated previously, I have no idea which of the bunch of different settings I tried did the trick... I just thought it was this one.

It was kind of weird that the settings applied as expected on Curve but not on my current theme, and I also thought "there is no way this is going to work... but hey, let's dig around and see if something changes this behavior", so I started digging around in the theme settings, changed some things (member settings mostly) and... something just fixed it. Then just changed the settings back to what they were, everything was fine, the moderators had the permissions I assigned them, so I just thought "maybe a some misconfigured setting in the database during the conversion process ???... or some weird theme setting ???"... I just dropped it, had other things to fix.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Illori

your issue was lack of the checkboxes or quick moderation options, this has nothing to do with permissions.

GigaWatt

The quick moderation options were there, the problem was that I assigned new boards to the existing moderators and the changes (the new boards they could moderate) reflected only on Curve, not on my current theme (CleanTek)... even if opened an existing topic in the boards I assigned them, the moderation options weren't present (I'm not talking about the quick moderation buttons) in CleanTek, but were in Curve.
"This is really a generic concept about human thinking - when faced with large tasks we're naturally inclined to try to break them down into a bunch of smaller tasks that together make up the whole."

"A 500 error loosely translates to the webserver saying, "WTF?"..."

Dwev

@ GigaWatt: I'm using a custom theme, so I will definitely try what you've suggested (no time right now) and once done I'll let you know if it took care of the last quirks.

Aleksi "Lex" Kilpinen

Do let us know if you find out anything new, or if the issue clears on it's own.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Advertisement: