Access rights management

Unlike many other comparable forum systems, the Unclassified NewsBoard grants or denies access mainly based on the access control list (ACL). This is basically a set of access rules. Each of them applies on a user or a user group and on a forum or a thread and regulates a certain user action. Some ‘access rights’ are actually ressource limitations like maximum avatar dimensions. You can view, create and modify these rules in the ACL Editor that you can find in the Administrator Control Panel.

For the UNIX/Linux experienced amongst you, this works much like the UNIX filesystem permissions. We have forums and threads (compare them with directories and files), we have groups and users (the same in UNIX), we have different actions (like access modes) and we can grant this right or not. To access a thread or forum, you need sufficient access rights for all forums above, too. Also, users can be member of multiple groups, just like in UNIX systems.

User groups

To control access for a large group of users at once, there’s the concept of user groups. There are four predefined groups: Guests, Members, Global Moderators and Administrators. You can define your own groups in addition to this with the Groups Editor in the AdminCP. “Guests” is in fact not a real user group, but any user that is either not logged in or member of no group (not yet validated users) will be considered a guest and can be addressed as such with access rules.

You should understand that the “Members” group has a somewhat special meaning in that it contains all ‘validated users’. This is part of the user validation concept. When a user registers to the board and it is configured to first check their e-mail address before they can use their account, a user will be assigned to the “Members” group upon successful validation. Only this gives the user their default members’ rights. Moderators, Administrators or members of other defined user groups need to be assigned to this particular user group in addition to their “Members” membership. It is possible – and in some cases required – for a user to be assigned to multiple user groups.

Access rules

An access rule consists of the following information:
  • A forum or thread they apply to,
  • a user or user group they are addressed to,
  • a user action they control and
  • the way they control this action.

Rules that are limited to a certain forum or category also control all of its subforums. You can also create access rules for single threads instead of forums, which may be useful for special threads of common interest, for example FAQs or file upload threads. You can only specify a forum or a thread for a single rule.

Rules that are defined for a user group are only valid for this group of users and don’t affect other users or guests. You can also define access rules for the ‘virtual’ group of “Guests” that addresses all users that are either member of no group or not logged in (unregistered visitors). Finally you can also omit any user or group limitation, those rules are addressed to any user on the board, including guests, moderators and administrators. You can only specify a user group or a single user for a single rule.

The access rules are stored in an undefined order in the database. For evaluation they’re brought in the following “most-special first” order: Highest user ID first, then highest group ID first, then highest thread ID first, then highest forum ID first and finally lowest action ID first. This is the order in which the rules are displayed in the ACL editor and how they will be read when determining access rights. For a specific access query, the first match is relevant. For a rule match, user or group ID must match the currently logged in user resp. his group memberships, the forum or thread ID must match the forum resp. thread to query access to and the action must be what is queried for. Disabled rules are ignored. Further (more generic) rules that may apply to the same query are not considered. This way user-specific rules count over group-wide rules and thread-specific rules count over forum-wide rules.

Examples

When you want to restrict certain access on a forum to a single user group, you should deny this action to the Members group (and if necessary also to the Guests group) and then allow it to the particular user group again. For example, to restrict any access on the “Internals” forum to the “Subscribers” group, you need to deny “view posts” access to Guests (if allowed at all) and Members and then allow this very access to the “Subscribers” group again so that only this group can access that forum. Administrators should not be locked out of any forum anyway. Another example, if you want to restrict writing access (that is adding threads and posts) on the “FAQ” forum to the “FAQ maintainers” group, then deny “add posts” (or only “add new threads” if you want them to be able to reply in present threads) access for Guests (if allowed at all) and Members and allow it for the “FAQ maintainers” group. You generally don’t need to deny an action that was never allowed. To restrict access to a small group, you should allow the exact action that was denied for a wider group. Be aware that users can inherit several rights from multiple user groups that they belong to.

User actions

Almost everything a user can do in the forum environment has an action name assigned by that you can control that particular function with the ACL system. There’s one for viewing posts (and threads effectively), one for starting new threads, one for editing all users’ posts, and so on. Some of the actions can only be controlled globally, meaning for the entire board, others can be limited to certain forums or threads. Rules that are limited to a forum also apply on all of its subforums (see above section).

There’s another difference between actions: Some can only be granted or denied, like viewing a forum or not. Others can be assigned numeric values to, like the maximum allowed post attachment filesize. Those actions are marked with a ² in the list and have their unit in brackets, like “[kB]”. The ACL editor will know when the selected action is a numeric setting and display a text field instead of the check mark.

Global actions

Administrative actions: Enable access to some admin-specific functions. Should only be set for the default administrators group
Add users: Add a new user
Remove users: Remove a user
Rename users: Change a user’s login and display name
Edit all user profiles: See any hidden information and change any user’s profile. By default, users can only change their own profile
Change avatar: TODO
Send e-mails to users: TODO
View userlist: Show the list of users. If disabled, users can only view the operators team
View online users: Enable access to the user tracking page
View user profiles: If disabled, the users cannot view any other user’s profiles. Normally enabled to everyone but guests
Set users’ group memberships: With this right you can change other users’ group membership. You can only change memberships of tose groups you are a member of yourself. This does not apply to administrators (TODO: Currently, all groups can be set. #7)
View statistics: Let the user view the board statistics
Max. avatar size [kB]: Limit the avatar filesize. If not set, board’s default applies. Avatar width/height can only be set globally in the board settings. There’s no ‘unlimited’ setting
Max. photo size [kB]: Limit the user photo filesize. If not set, board’s default applies. There’s no ‘unlimited’ setting
Max. photo width/height [kB]: Limit the horiz./vert. dimensions of the user photo. If not set, board’s default applies. There’s no ‘unlimited’ setting

Forum/thread-specific actions

All these actions are marked with a ¹ in the actions list.

Add forums: Add a new subforum
Edit forums: Edit a forum
View posts: Enter a forum, list threads and read posts. If disabled, the forum will not be listed. You cannot do anything, especially write posts, in a forum that you cannot view.
Add posts: Add new posts to threads
Add new threads: Add new threads to a forum
Create polls: Create a poll with a thread
Edit announcements: Edit a forum message (these are the announcements, not posts!). This includes adding new messages and removing them
Close threads: Close a thread so that noone can add a reply to it. Users with this right set can still post there, as they could easily re-open, post and re-close the thread again anyway
Mark threads “important”: Make a thread important. It will then stick at the top of the threads list in a forum
Edit polls: Change a poll after its creation. Users can only re-sort the possible answers to a poll but not modify answers. With this right set, you can modify answers if there’s no vote for this poll yet. [TODO: check this]
View poll users: Optionally list all users that have voted in a poll
Edit all posts: Edit any user’s posts
Remove posts: Remove posts [TODO: own or any?]
Edit without edit note: With this right, you can edit posts without leaving a note on that. Existing “This post was changed” notes will remain
Remove edit notes: This enables you to remove any editnotes to let a post look like unchanged
View posts’ IP: Get the IP and hostname the post was submitted from and its exact time (with seconds)
Download attachments: Download files that are attached to posts. Can be disabled for guests to reduce traffic
Vote in polls: Grants participating in polls
Remove own posts: Lets users remove their own posts again. Needs the right to edit own posts, too (this may be limited by time). Only the last post in the thread can be removed with this right
Max. attachment size [kB]: Limit the size of files users can upload as post attachments. If not set, board’s default applies
Time to edit own posts [min]: Limit the timespan users can edit their own posts within. “-1” or ‹unset› is no limitation. “0” effectively denies editing of own posts

Pre-defined action sets

To make assigning a basic set of rights to default user groups easier, there is a few pre-​defined action sets that contain all common actions that are usually allowed for members, moderators or administrators. These sets are used in the default access rules that come with the installation. If you want to change certain aspects of it, you have to add separate rules revoking some of the rights for a user group again.

(Guest rights incl. posting): This generally enables guest postings. You can use this set to allow guest posting in certain forums. To only allow guests to view forums, use that action (see above).
Includes: view forum, write to forum, add new thread.
If you do not want this, you only need to grant view forum access to guests
(All member rights): Everything a user needs... Automatically granted to the Members group. You should not use this set in your own rules, instead allow or deny viewing a forum to control access to it.
Includes: change avatar, send e-mail, show userlist, show online users, show profile, view statistics, view forum, write to forum, add new thread, create poll, download attachments, vote in polls.
(Additional moderation rights): Automatically granted to the Global moderators group. You can use this set to create moderator groups for certain forums only.
Includes: close thread, important thread, edit poll, edit any post, remove post, no editnote, show IP.
(All admin rights): Granted to the Administrators group by default. You should not use this set in your own rules.
Includes: All existing standard actions (not the ones you possibly added).
The numeric values are set like this: max. avatar size: “100kB”, max. photo size: “500kB”, max. photo width: “600px”, max. photo height: “400px”, max. attachment size: “10MB”, time edit own posts: “unlimited” (overridden by edit any post anyway)
© 2003–2017 by Yves Goergen web1@unclassified.de
Content last updated on 2006-03-18 10:30 UTC
dotforward webhosting Get Firefox XHTML 1.1 CSS