Categories: Security options don't get changed


For some reason, the Security changes I’m trying to apply do not work — everything gets back to default settings when a page is refreshed.

I’m not sure what could cause this behaviour — could it be our custom theme?

I need to untick ‘Create’ option:



There is a hint on the page:

This category is public, everyone can see, reply and create posts. To restrict permissions, remove one or more of the permissions granted to the “everyone” group.

So to remove the “create” permission, you can remove everyone, and then add everyone with the settings you want; I tested this just now on 2.9.0.beta3 and it works…

Screenshot from 2022-04-07 00-29-23

In that screenshot (:point_up:) the “New Topic” button is non-functional.

However… when I refresh the permissions on a category, it shows the same “This category is public…” message, and all boxes are checked, while the intended permissions remain; in this case all three checkboxes are checked, but the category in question only allows reading and replying, but not creating new topics.


I’m going to rebuild my site and test some more, to see if this still persists. :slight_smile:

Two words for you my friend: safe mode. :sunglasses: :+1:


You know what, I actually misunderstood that hint-text, and my brain just came up with a workaround, even though the expected behavior was not working my site.

So please ignore my weird hack, and let’s focus on reproducing this bug. :slight_smile:

1 Like

Yes, I have just tried this on my test site (41fb4a3ca0), and it’s behaving in an unexpected way.

Expected: Unticking reply or create on the security settings (and saving) should update the security settings.

  • Edit category → Security
  • Untick ‘create’ for everyone (and save)
  • Refresh page
  • Reverted to previous ‘all options ticked’

Adding a second group also behaved unexpectedly

  • Add another group (along with ‘everyone’)
  • Untick create for ‘everyone’ (and save)
  • Everyone group has been removed

I think this may be a bug.


I’m now on this version and yes, it persists.

If you untick a box, does it actually set that permission, despite the refresh showing all boxes ticked? That’s how it works for me, if I set the permissions, they are applied, but a fresh viewing of the permissions always resets the boxes being ticked though the permissions remain applied.

Oh good catch! I am seeing that happen as well. :+1:

1 Like

Thank you very much for your help! Hopefully, this will be fixed soon :pray:t2:


I think you may be right.

  • Reset security permissions by removing all groups (No groups have been granted access; this category will only be visible to staff.)
  • Added in ‘everyone’ with all permissions (checked test user - working as expected :white_check_mark:)
  • Unticked ‘create’, and refreshed (screen displays a reversion to all being ticked)
  • Check test user, and they can no longer create a topic in that category, despite the security screen showing they can

And a similar thing when adding a second group alongside ‘everyone’. The ‘everyone’ group disappears from the display, but the permissions seem to be enacted.


It seems it’s also restricted to the ‘everyone’ group. Others I can add and amend permissions for, and they seem to stick just fine.

1 Like

I can repro this even on 2.8.2, so this is a pretty old bug that nobody has noticed.

However - the permissions are indeed being saved correctly in the database.

The problem “only” seems to be that the user interface checks all checkboxes as soon as the security tab is loaded.


When I take the second test a step further and add a third group, it seems to override and remove the hidden/background ‘everyone’ security settings. Eg:

  • Reset security permissions by removing all groups (No groups have been granted access; this category will only be visible to staff.)
  • Added in ‘everyone’ with all permissions (checked test user - working as expected :white_check_mark:)
  • Make ‘everyone’ see only (refresh. all boxes ticked but in reality, they can only see)
  • Add Group2 with all permissions (refresh. ‘everyone’ disappears, but in reality, everyone can still see)
  • Add Group3 (refresh. Group2 and 3 are visible, ‘everyone’ has now lost the ability to see the category)

The problem is in the CategorySerializer and it has been introduced in commit dfaf983.
It’s a security fix that has been backported so that’s why it happens in stable as well.


You are correct. I already pushed a fix for this problem in this PR:


This topic was automatically closed after 2 days. New replies are no longer allowed.