Forum .LRN Q&A: Forums permissions

I'm just wondering if anybody else is having the same problem with dotlrn forums.  I've been doing some testing on my own installation of dotlrn 2.0b4, and found that if I am a user that has been added to a community, and post a message as a new thread, I get a warning message after pressing the OK button.  The warning message says that I do not have permission to perform that operation.  However when I go back to the forums page, the posting that I attempted to submit is clearly there.

Does anybody know what could be causing this?  I've been looking into this bug, but I cannot trace it.  Any help would be appreciated.

Thanks,
Nick.

Where abouts would I  have to make this change?

Here is the state of the bug so far. I talked to Joel, Lars, Tilman and Dirk.

Tilman posted a bug. Joel suggested that I go through all forum bugs and assign the blocker ones to Lars. This I will do next.

Tilmanns suggestion was to change forum-security-procs.tcl to use different privileges. On installation of dotLRN the privileges forum_post and forum_create is used. The tcl file expects read, create and write which is right because this was also assigned but somehow it doesn't work.
Now changing each

return [permission::permission_p -party_id $user_id -object_id $forum_id -privilege xyz]

lines to forum_xyz doesn't solve all problems. A normal user can now create a thread but not read his own thread.

After discussion this with Dirk the only way to fix this bug until it is fixed at OpenACS is to do the following.

First do the above changes in forums-security-procs.tcl. So far this not vulnerable.

Next uncomment do_abort in the function require_read_message in the same tcl file. Now the forum works again. But you have a security whole. At least forums will work. Otherwise you have to refrain from offering it until a true bug fix is found.

Greetings,
Nima

However, I can reproduce the symptoms described in Nick's original post, and I can eliminate them by commenting out the call to acs_privacy::user_can_read_private_data_p in forums::security::can_read_message_p in forums-security-procs.tcl.  So I think Caroline's on the right track.

Aside from other potentially related issues raised in ticket #1338, the relevant question seems to be, what is the appropriate way to handle the read_private_data permission check?  That's what I will look at now...

Do we need a check for this before we start the posting procees?

Does the user have read private data p on some objects but not others?

Another thing..if the forum is not under dotLRN then it should not check read_private_data_p as that is a dotLRN concept. Can you take a look and make sure this is the case when you have a chance Andrew.

I've implemented the Guest permissions re-work on our dev server at Sloan and tested for correct function on the forums "one message" page.  This, recall, is where we found the bug that exposed the larger problem with Guest status.

I have the following items left:
a) fix the view/add/edit user pages to query the new Guest handling mechanism instead of the old one.
b) test the other places that check for read_private_data
c) test against postgres (already converted most of the SQL)
d) add message keys in a few places