Warning, this is a long post. To cut to the chase, I've posted a couple of patches for forums to bug 1338
https://openacs.org/bugtracker/openacs/bug?bug_number=1338
These are significant mods to forum permissions so I would appreciate it if someone knowledgeable about forums could review them before I commit. The patches are against oacs-5-1, which is what we're using for .LRN. Once reviewed I will roll them against both oacs-5-1 and oacs-5-2. Thanks.
Now for the details.
In the past I've come across subtle bugs in the forum permissions and this time attempted to do some cleanup.
After researching a bit, it looks like back in 2003 Lars began to standardize the permissions to allow anonymous postings. But while the permission checks were standardized,
http://cvs.openacs.org/cvs/openacs-4/packages/forums/tcl/forums-security-procs.tcl?r1=1.6&r2=1.7
the permission grants were not.
Interestingly, the granted, non-standard privileges should have caused hard-to-ignore bugs, because the non-standard privs are children of the standard ones. That is, the grants were lower in the chain than the privileges that the code was checking for. However, after more digging, I found that if the forum was placed in a dotlrn instance or a non-root instance of acs-subsite, the permissions cascade tended to paper over the bugs.
But a forums instance placed directly under the root illustrates the problem. Regular non-admin users are presented with navigation to create posts, but then denied permission when they click the button.
So I've patched the code and written upgrade scripts for Oracle. These convert the custom privilege grants to standard ones and then drop the custom privileges. I've left one custom privilege behind -- forum_moderate -- because it has some utility and might be nice to have.
I'm hoping to get this committed ASAP but would appreciate at least one other person taking a look at it, perhaps even testing it, first.
