Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

How role permissions are verified for a category with custom permissions?

Hi all, I'm new with Vanilla. I'm evaluating PHP Forums to create my company's forum.
What I need is to have different categories for different clients and one client should not see another client's categories/messages/etc.

I setup a couple of users, and assigned them new roles (client1, client2), then create a couple of categories with custom permissions, and enabled add/view permissions for the correspondent clientX role and disabled all permissions for other roles.

Here comes my question!
At the category custom permissions setup, I can see default roles like "applicant" or "guest". What I need to know is how permissions are verified, e.g. If I assign roles "client1" and "applicant", both with "add" permission, to the category "client1", does Vanilla check if the user is an "applicant" OR "client1", or an "applicant" AND "client1". (I don't want applicants to see "client1" category).

Thanks a lot!

BTW: the install process is great, and the config is very intuitive with good references to the documentation.

Best Answer


  • Anybody knows what's the criteria when checking role authorization (r1 and r2 vs. r1 or r2)? or at least, where can I find the code where this is done? thanks.

  • x00x00 MVP
    edited February 2013

    to save confusion lets call your category catogory1.

    the rules are additive.

    so, if someone has the permission applicant and you clear the view permission for category1 it will not be able to see it. However if they have both applicant and client1 they will be able to see it. This is a clearly a 0+1 scenario. Applicants will not be able to see category1 so long as they are just applicants.

    if you want a role that only does one thing, clear all permissions except that one thing. That is a good way of preventing mishaps.

    Not sure I understand, but you want applicants to be able to post with add permission, but not see the category? but the discussion controller will check when that user has a permission to view discussions in that category, which is usually where they are directed next.

    If you want an ability for user to post discussions that they can't see, this would have to be done with a plugin.

    I'm not sure how client2 fits in.

    If you are running consultancy I'm guessing you are wanting client1 and client2 to be mutually exclusive unless there are collaborating. it could be a bit tedious to assign users, categories and permissions in each case unless it automated. Besides there is some cross over with the conversations (PM) app, in which you specify the recipients, in the conversation.

    grep is your friend.

  • @x00 thanks for your elaborated answer. The comment about the add permission on Applicant was because that role has add permission by default, but as you said: I have to remove that and the view permission too. I don't see the point of posting messages to something a user can't see :)

    Thanks again!

Sign In or Register to comment.