Hello!
For some reason, the Security changes I’m trying to apply do not work — everything gets back to default settings when a page is refreshed.
I’m not sure what could cause this behaviour — could it be our custom theme?
I need to untick ‘Create’ option:
Hiya!
There is a hint on the page:
This category is public, everyone can see, reply and create posts. To restrict permissions, remove one or more of the permissions granted to the “everyone” group.
So to remove the “create” permission, you can remove everyone, and then add everyone with the settings you want; I tested this just now on 2.9.0.beta3 and it works…
In that screenshot (
) the “New Topic” button is non-functional.
However… when I refresh the permissions on a category, it shows the same “This category is public…” message, and all boxes are checked, while the intended permissions remain; in this case all three checkboxes are checked, but the category in question only allows reading and replying, but not creating new topics.
I’m going to rebuild my site and test some more, to see if this still persists. 
Two words for you my friend: safe mode. 
You know what, I actually misunderstood that hint-text, and my brain just came up with a workaround, even though the expected behavior was not working my site.
So please ignore my weird hack, and let’s focus on reproducing this bug.
Yes, I have just tried this on my test site (41fb4a3ca0), and it’s behaving in an unexpected way.
Expected: Unticking reply or create on the security settings (and saving) should update the security settings.
Adding a second group also behaved unexpectedly
I think this may be a bug.
I’m now on this version and yes, it persists.
If you untick a box, does it actually set that permission, despite the refresh showing all boxes ticked? That’s how it works for me, if I set the permissions, they are applied, but a fresh viewing of the permissions always resets the boxes being ticked though the permissions remain applied.
Oh good catch! I am seeing that happen as well.
Thank you very much for your help! Hopefully, this will be fixed soon 
I think you may be right.
)And a similar thing when adding a second group alongside ‘everyone’. The ‘everyone’ group disappears from the display, but the permissions seem to be enacted.
It seems it’s also restricted to the ‘everyone’ group. Others I can add and amend permissions for, and they seem to stick just fine.
I can repro this even on 2.8.2, so this is a pretty old bug that nobody has noticed.
However - the permissions are indeed being saved correctly in the database.
The problem “only” seems to be that the user interface checks all checkboxes as soon as the security tab is loaded.
When I take the second test a step further and add a third group, it seems to override and remove the hidden/background ‘everyone’ security settings. Eg:
)The problem is in the CategorySerializer and it has been introduced in commit dfaf983.
It’s a security fix that has been backported so that’s why it happens in stable as well.
You are correct. I already pushed a fix for this problem in this PR:
This topic was automatically closed after 2 days. New replies are no longer allowed.
