No Attachment Dialog on Event-Posting (Calendar)

Started by demlak, June 23, 2018, 06:48:49 AM

Previous topic - Next topic

demlak

Hi,
we have this issue since several years.

If you post a new event by using Menu -> Calendar -> Post Event
(.../index.php?action=calendar;sa=post)

There is no attachment dialog under post-textfield for regular users.

Permissions are checked. Regular users have permission to view, edit and create own Calendar Events.

to reproduce:

1. install a fresh instance of smf 2.0.15.
2. login as administrator and enable calendar
3. give users permission to view, create and edit (own) calendar events
4. logout and register new user account
5. login to new user account and go to calendar -> post event
--> no attachment-dialog.

BUT!
on creating a new regular forumspost (index.php?action=post;board=X.X), there is an attachment dialog. same on editing calender events (index.php?action=post;msg=XXXX;topic=X.X;calendar;eventid=XXXXXXXXXXX), after they are created. and so on. so there is no main-problem with permissions for the user. just on the Event-Posting.

btw: Administrators do have attachment dialog in every circumstance.

so, i just can gues, there is a hardcoded permission problem on the event-post?

thx in advance
demlak


Arantor

This is a design flaw, that I *think* has been fixed in 2.1 but I haven't checked. If I'm right, it's a major change to backport it.

Essentially, posting attachments is a board-level permission but board level permissions are not properly loaded when making a new calendar entry because you're not inside a board. It only loads the bits it needs to. Admins implicitly have every permission everywhere.

Once the post has been created, and it has topic in the URL, board permissions are loaded so it will work as expected.

Aleksi "Lex" Kilpinen

You can work around this though, I think - by just reversing the order of things.
First create the topic, with the attachments and all, and only after that link the topic to the calendar.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

demlak

yeah.. thats a workaround. not realy nice.. but working.
also you can add a calender event and edit it for attachments later.

@Arantor, since attachment-permissions are not boardspecific but a general permission, maybe this permission could be enabled for event-creation?


Arantor

No, they're in board permissions and have been there since the start. I'm happy to provide a screenshot from an unmodified 2.0 to indicate this being the case if you still don't believe me.

demlak

i'm sorry.. i was not using the vocabulary of settings..
yes, you are correct, it is not a general setting but a board setting. BUT. GLOBAL board setting.

so it doesn't matter in what board the user wants to add the calendar event, or does this still matter?


Event options do load the list of boards with permissions to write into.
The user can't post the event into any board he/she don't have permission to post in. so global permissions should take affect, in my opinion.

Arantor

This really is not how SMF works.

The system functions in a very specific way. On any page you go to, it always loads the general permissions. Additionally, if the URL has 'topic=x' or 'board=x' and only one of these two things, it will additionally load the permissions you have inside that board.

Event does not have topic=x in the URL not board=x in the URL. So it will load neither.

What it will do, because it's a place outside of a board that potentially affects into a board, it gets the list of boards where you will have that permission, and this is the list it generates. It does at no point actually load permissions for you, it just asks the permissions database for places you can post a new topic. It doesn't check permissions for attachments because that's a separate permission that hasn't been loaded at that time.

So you end up on the post form, technically outside of a board, with no board level permissions and a special override to even let you get to that point, and no attachment permissions loaded. But admins still have the override that gives them every permission everywhere.

demlak

lol.. users told me, that there is another workaround:

just press onetime post without any filled in text.
redirection to: .../index.php?action=post2;start=0;
you will get an error that the fields are empty. but then, the attachment-dialog is presented.

so, the choosen board is referred to this dialog/site then?

Quote from: Arantor on June 23, 2018, 08:00:05 AM
It does at no point actually load permissions for you, it just asks the permissions database for places you can post a new topic. It doesn't check permissions for attachments because that's a separate permission that hasn't been loaded at that time.
obviously. but why are there no global permissions loaded at the same time? at my current knowledge, i can't understand why those permissions are not loaded.
as far as i understand, global permissions could be used globaly. independently of the (un-)expected board that the user will post to. because the user is not able to post to any board he/she don't have the permission to use attachment.

so, the permission to post an event and the permission to use attachments, are allways aligned for a user. so, why not load those permissions?

Arantor

Yes, once you hit the button, you're inside the board at that point (the board number you picked in the dropdown is sent through to the post form) so it knows which board to load permissions for.

-------------------

Why are the permissions not loaded? It's quite straightforward actually.

You have two boards, board 1 and board 2. The user can post attachments in board 1, but not in board 2. They can make posts in both boards.

The user goes to make a calendar event - at this point, they are not in EITHER board. The system checks, sees they can make topics in both boards, and shows this. But they're still not in either board, so neither board permission is loaded. How would it know which to load?

The post attachment part does not know how to say 'what about this board', it simply asks 'can the current user make an attachment' - since the user is not technically in either board at the time, no board level permissions have been loaded - because you can't load both sets at once in the current system. Which means the user won't have board level permissions for any board.

At the point of trying to make an event, which board's permissions could you even load? You don't know which permissions are to be loaded, and won't know until after the form is already made. You'd have to load every single board's permissions and juggle them around depending on what board the user selected which is really, really complex to do.

demlak

i understand your point. what i don't understand is why this should take effect.
as far as i know, global board permissions are global. and there is no possibility to edit those for an individual board. it's just for each user on or off. like permission to post an event - on or off.

maybe i searched not deep enough, but i can't find any setting to (dis-)allow global-board-permissions for individual boards.especialy for attachments i can't find anything related to specific boards.

am i incorrect with this?:

so, "the permission to post" is aligned to "the permission to use attachment" and there for it could be loaded at the same time as the list of boards a user is able to post to. because there is no discrepancy between those two permissions.


if i'm correct, a working (at all circumstances) solution would be to add the "board=" part to the url for the default event-board?

Kindred

Of course you can edit permissions for a specific board.   It's called a permissions profile and can be set individually, per board, or grouped as a type (e.g. read-only) and applied to multiple boards
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

Except they're not global. Never have been, never will be. You absolutely can edit them per board - you create a profile for the board(s) you want to assign it to. It's only the default profile that you edit when you edit things, not the other profiles, nor any custom made profiles.

Board-level permissions a complex thing to set up but it is absolutely doable.

Also the permissions aren't actually aligned either. As I said, it's perfectly possible to have the situation where a user can post topics in 2 boards but only add attachments in one, meaning that they're not aligned! Meaning that you can't just load them, short of loading every possible combination and filtering it on the client (and that's before we take into account approval of posts and/or attachments, because that's also a set of permutations you can have that are not tied together)

demlak

#12
ok.. then i'm too dumb to find the area where to set individual board permissions, that do shrink or expand global-board-permissions of users - especialy for adding attachments.

if we talk about ".../index.php?action=admin;area=manageboards;sa=board;boardid=X", i'm just able to allow usergroups to post or not. but there is no specific rule for individual attachment permissions for each board. or any other permission that is set in the user-global-board-permissions.

so this seems not to be the desired admin area. where to find those settings you are talking about?

Arantor

Go to where it says 'edit profiles', create a new profile with different permissions. Now go to a board's configuration and assign that profile. That board now has different permissions to the 'global' permissions as you insist on calling it.

The idea is that you can set groups of boards all to have the same permissions as each other, something that was a huge challenge on this site.

demlak

found it.

i'm sorry.
now all you wrote make sense to me.
if there are modifications to the "standard" Profile, then there would be problems

as far as we don't shrink the usage of attachments, i will modify my smf-theme to add standard ";board=" to the url on creating an event. but this is for sure no workaround for any SMF-Instance where individual board permissions differ to global permissions by editiin individual board profiles.

Arantor

Not even just modifications to the standard profile - depending on the nature of site, if you upgraded from 1.1 to 2.0 with certain permissions setups, you won't be using any of the standard profiles at all.

And really, SMF doesn't actually care that much, from the permissions system internals, all the profiles are just profiles, there's no special meaning given to any of them, so using the 'default' profile or a different profile, it just knows 'this board uses this profile which has those permissions'.

And that's still before we get into the murk that is post moderation :(

demlak

yeah.. i understand now, that the calender eventpost-dialog just loads the list of boards the user is permited to write to. loading individual profilesettings for each board is not implemented.

i'm sorry that i was not going enough into detail of board settings to know about board-profiles.

in my usecase, i think, just replacing all instances of "action=calendar;sa=post" by "action=calendar;sa=post;board=8.0" in Subs.php and Calendar.template.php fitts my needs.
(8 is my board-id for default calendar events and where every usergroup who is able to use calnder, is able to post in)


thx for your help/clarification

Arantor

Yeah, for your use case that would work pretty well (and should even pre-select the board for you in the dropdown)

Sesquipedalian

Quote from: Arantor on June 23, 2018, 06:58:03 AM
This is a design flaw, that I *think* has been fixed in 2.1 but I haven't checked. If I'm right, it's a major change to backport it.

Yes, in 2.1 this has been fixed. In this situation, 2.1 checks if the user has permission to post attachments on any board and, if so, makes the attachment upload interface available. But if the user selects a board that she doesn't actually have that permission for, she is sent back to the post editing page with an error message and the attachments are removed.

Backporting this to 2.0 would indeed be a major change and will not be happening.
I promise you nothing.

Sesqu... Sesqui... what?
Sesquipedalian, the best word in the English language.

Arantor

Yeah, that's what I thought had happened, fairly sure I'd seen it in the patches along the way but since I ditched the calendar code months ago I wasn't exactly paying *that* much attention myself ;)

Advertisement: