Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Can this addon be updated to be controlled through dashboard - Role and Permissions - Edit Role?

I found out that every registered member that has EDIT category role found on "Dashboard - Role and Permissions - Edit Role" automatically has "Change Author" permission for discussions.

Please can this addon be upgraded to be controlled through - Dashboard - Role and Permissions - Plugin?
This is will make it easy to assign permission to selected users instead of all users with "Edit category" permission.

Comments

  • rbrahmsonrbrahmson "You may say I'm a dreamer / But I'm not the only one" NY ✭✭✭

    I just looked at the source and it includes these lines of code:

    if (CheckPermission('Garden.Settings.Manage')) {
    

    and

    $Sender->Permission('Garden.Settings.Manage');
    

    which should ensure that only users with admin roles can change the author. You need to verify that you are not testing from users with admin rights...

  • @rbrahmson.
    Please what particular user role permission gives a member admin right?
    I have checked my settings and cannot figure out how admin permission was erroneously granted.

    All I know is that if "Role and Permissions - Edit" category is checked, user gets permission to "change author" and if "Role and Permissions - Edit" category is unchecked, user loose permission to "change author".

    Can you try the setting on your forum and see what I mean.
    Thank you.

  • rbrahmsonrbrahmson "You may say I'm a dreamer / But I'm not the only one" NY ✭✭✭

    @Prosper check two things:
    1. In Roles and Permissions that the users do not have the "Garden Setting Manage" permission checked, and
    2. The specific role called "Administrator" is assigned to regular users.

    If either are true you have a bigger trouble than just permission to change the Author - it means that every such user has administration rights. Here is a simple test: while you are logged in to your admin id go to the configuration screen of one of your installed plugins and copy it's url. Then log out and login with a regular user ID that erroneously has access to the Author plugin and paste the url in the browser address bar and check if you have access to the plugin settings. If you do then it is likely that either or both of #1,#2 above happened. If not then either my knowledge is too limited or something very bad happened to your forum.

    Let me know which is it;-)

  • I have just checked, (1) and (2) were not assigned to the user.
    User still have the permission to "Change Author".

    I created a custom moderator role in which the user can edit, sink, delete, and close discussion / comment on specified categories. Unfortunately, the "Garden Default_categories_permission edit" that was checked GAVE user "Change Author" permission. If "Garden Default_categories_permission edit" is unchecked, user looses "Change Author" permission. This is my predicament.

  • rbrahmsonrbrahmson "You may say I'm a dreamer / But I'm not the only one" NY ✭✭✭

    Perhaps someone else has a better idea of what's going on with your forum. I'm out of ideas here, sorry.

  • rbrahmsonrbrahmson "You may say I'm a dreamer / But I'm not the only one" NY ✭✭✭
    edited March 2016

    @Prosper, I just went to github and saw that the plugin version there checks the Vanilla.Discussions.Edit instead of Garden Setting Manage. . So this is a very simple code change. Try it.

    Linc changed the permission requirement on June 4, 2014 : see https://github.com/vanilla/addons/commit/72be412dda44b26d1e2ed42349373a3eff6a707f

  • ProsperProsper ✭✭
    edited March 2016

    @rbrahmson
    Thanks for discovering the code. I solved the issue by commenting out this code below

    // if (Gdn::Session()->CheckPermission('Vanilla.Discussions.Edit', TRUE, 'Category', $Discussion->PermissionCategoryID)) {
    and added this code instead

    if (CheckPermission('Garden.Settings.Manage')) {

    Now I can control who has "Change Author" permission by simply checking or unchecking - Garden-Settings-Manage under user "Role and permission".

  • rbrahmsonrbrahmson "You may say I'm a dreamer / But I'm not the only one" NY ✭✭✭
    edited March 2016

    @Prosper - I do not recommend giving "garden settings manage" permission to your forum users (other than admins) -- many plugins use that permission to control access to the plugins settings screen so checking that option on users will also give them access to plugin configurations.

    If you do want to give access to specific users to change authors I recommend that you create a specific permission for the plugin and change the "Garden.Settings.Manage" to that permission.

  • Oh yes, you are right. I won't give access to "change author" to users other than Admins. My custom moderator roles now do not have access to "change author" permission other than to edit, sink, delete, and close discussion on only specific categories.

  • rbrahmsonrbrahmson "You may say I'm a dreamer / But I'm not the only one" NY ✭✭✭

    I am happy I could be of help

Sign In or Register to comment.