Forum OpenACS Q&A: forum inherits "registered users" permissions, not party_id ones

Collapse
1: forum inherits "registered users" permissions, not party_id ones
Posted by Michael Cordova on 09/07/08 02:14 AM
I think there are a few errors that should be reviewed, related with permissions. Before I got mad, I'm gonna post what Juan Ignacio and me had found...

  1. When a forum doesn't inherit permissions from its group forums instance, the read_private_data privilege blocks some users to see the forum... even if they are members. I have read more about that privilege here: https://openacs.org/forums/message-view?message_id=267005
    1. What I understand from that privilege, is that personal data should not be shown... however a forum could be read (hiding names, emails, and so on..)

    2. Does it make sense to continue using the "read_private_data" privilege and the ACS Kernel "PrivacyControlEnabledP" parameter ? (I think so)

    3. Any case, I think that the right value to check if a user could see/read a forum should be "read" (afaik, it was "forum_read" some time ago).

  2. On the other hand... when a forum is set (or unset) to closed, the "write" permission is revoked (or granted) to "registered users" instead of to the group it belongs to.

    Note that in forum-procs.tcl the function ad_proc -public forum::posting_policy_set { has a comment that warns about that.

    ad_proc -public forum::posting_policy_set {
    {-posting_policy:required}
    {-forum_id:required}
} {

    <span style="color: #F00"># JCD: this is potentially bad since we are

    # just assuming registered_users is the

    # right group to be granting write to.</span>
        if {![string equal closed $posting_policy]} {
        permission::grant -object_id $forum_id \
            -party_id [acs_magic_object registered_users] \
            -privilege write
    } else {
        permission::revoke -object_id $forum_id \
            -party_id [acs_magic_object registered_users] \
            -privilege write
    }
}
  3. And last... why set or unset "write" permission only to "registered users"? what about other people or groups who were granted and had any access level to that forum, should they be granted or revoked? I don't think so.

    Why mixing a forum attribute (closed posting policy) with permissions? I think that the right solution is... keep both separated and evaluated when necessary. That way, every page should take into account both parameters. For instance, here is a list of precedence...

    • if a forum is disabled, it's only listed (no link) on forums admin page.
    • if a forum is closed, no one could post on it, except users with admin privilege on it.
    • If a forum is not closed, users with write permission could post.
Collapse
2: Re: forum inherits "registered users" permissions, not party_id ones (response to 1)
Posted by Dave Bauer on 09/09/08 03:09 AM
Note, the forums package is not used only within dotlrn.

I have recently worked to make dotlrn more friendly to existing packages by creating application groups for each dotlrn group. This makes it easier to write code that works correctly with subsites and dotlrn. This is not in CVS yet, I haven't had a chance to discuss with the .LRN team yet.

The correct fix may be to inherit from the closest application group but I haven't looked into this. Please remember any fix has to work outside of dotlrn.