Forum .LRN Q&A: Re: Forums permissions

Collapse
7: Re: Forums permissions (response to 1)
Posted by Nima Mazloumi on
Exactly.

Here is the state of the bug so far. I talked to Joel, Lars, Tilman and Dirk.

Tilman posted a bug. Joel suggested that I go through all forum bugs and assign the blocker ones to Lars. This I will do next.

Tilmanns suggestion was to change forum-security-procs.tcl to use different privileges. On installation of dotLRN the privileges forum_post and forum_create is used. The tcl file expects read, create and write which is right because this was also assigned but somehow it doesn't work.
Now changing each

return [permission::permission_p -party_id $user_id -object_id $forum_id -privilege xyz]

lines to forum_xyz doesn't solve all problems. A normal user can now create a thread but not read his own thread.

After discussion this with Dirk the only way to fix this bug until it is fixed at OpenACS is to do the following.

First do the above changes in forums-security-procs.tcl. So far this not vulnerable.

Next uncomment do_abort in the function require_read_message in the same tcl file. Now the forum works again. But you have a security whole. At least forums will work. Otherwise you have to refrain from offering it until a true bug fix is found.

Greetings,
Nima