Permission Changes (moderators have less)

(Rikki Tooley) #22

Say someone (not a staff member) wants to run a forum game… but the staff members want to play. How could it be set it up so that the game gets a special category only the game-runner can mod?

So two things off the top of my head:

  • grant mod permissions on a category basis
  • override staff permissions on a category basis (in the sense that UI is hidden by default - the staff still have access if they really want it)

(sparr) #23

I have never heard

Anecdata seems to drive a lot of your design decisions here. I would not have expected that, having read your blog for a few years.

(Jeff Atwood) #24

It’s widely accepted by working programmers that Drupal is awful, in the same way that PHP is. Plenty of reading out there on the matter if you are interested.

(Jeff Atwood) unpinned #26

(sparr) #27

[quote=“codinghorror, post:24, topic:12522”]It’s widely accepted by working programmers that Drupal is awful[/quote]We aren’t talking about programmers, though. We are talking about users. I agree that writing code for Drupal is not enjoyable. That has nothing to do with whether or not the functionality exposed to users/admins is usable or ideal.

(nXqd) #28

Can we create a moderator for a certain category ? And somehow, I don’t think it’s fine to let moderator to change admin personal information like username email ect…

Because I’m working on a fairly big community and I don’t really trust the moderators. It’s not don’t trust at all, they can do whatever they want in their moderated categories.

(Jeff Atwood) #29

No, we do not have category specific moderators yet. It has been discussed a few times.

(nXqd) #30

thanks for your reply.

How about moderator has the right to change admin personal information ?

(Michael Downey) #31

Is this still supposed to be true? We have a “foo” sub-category that is restricted to a Group called “foo” (Create/Reply/See) and to “staff” (See). Just earlier today, a moderator who is not a member of the “foo” group replied to a post in that restricted category. I confirmed that moderator was able to see the entire sub-category topic list.

I temporarily removed that user’s moderation flag until I can figure out what’s actually supposed to happen. I refreshed his browser session from the user’s admin page, and then he couldn’t see the topic list any more for that sub-category.

Thanks for any insight anyone can share. :slight_smile:

(Kane York) #32

Moderators are staff, so it makes sense that they could see it… It’s possible they don’t follow the same action restriction paths.

(Michael Downey) #33

Hmm, didn’t realize that. But it still doesn’t explain why they could reply to the topic though.

(Jeff Atwood) #34

@techAPJ can you try to reproduce this scenario on one of your Digital Ocean instances?

(Michael Downey) #35

I should add that the parent category does not have any security restrictions, i.e., “everyone” can Create / Reply / See … it’s only the subcategory with a restriction.

(Kane York) #36

As has been stated before, there is no inheritance of permissions across parent/child categories.

Inheritance of access rights for subcategories broken
(Michael Downey) #37

Yes, I realize that. :slight_smile: But if @techAPJ is going to reproduce this accurately, it’d be necessary to create a parent category with no restrictions, and a sub-category under that with a single-group with Create / Reply / See permissions.

(Arpit Jalan) #38

Yes, I am able to reproduce this. Also while trying to reproduce this, I caught another bug.

(Michael Downey) #39

By the way, moderators are staff, is there any good reason to have separate Groups for each? It’s super confusing because I can’t remove someone from the staff group if they are a moderator.

(Kane York) #40

Well, you wouldn’t be able to remove them from the moderators group either, as it’s an automatic group…

(Michael Downey) #41

I guess I just don’t see any rationale for this. I want to be able to remove people or add them to staff, because staff is supposed to be a manually-assigned group of people? Moderators are named or unnamed by setting that flag in their profile.

But if all moderators are staff, why not just make them all staff and be done with it? Why have moderators at all?

As a mere human/non-developer admin of Discourse, my assumption is that staff and moderators were different things, since they had different groups. Now it appears that they are not different.

This is highly confusing to an admin that didn’t happen to make the design decision and/or code it up.

(Kane York) #42

Okay, so here’s the deal. There are 9 “automatic groups” in Discourse. Membership in these groups is determined through properties of the user, from being added. They are:

  • “admins”, “moderators”, “staff”
  • “trust_level_0”, “trust_level_1”, “trust_level_2”, “trust_level_3”, “trust_level_4”
  • “everyone” - which is even more special

If your account has the Admin flag, you are in the “admins” and “staff” groups. If you account has the Moderator flag, you are in the “moderators” and “staff” groups.

If you have trust level 2, you are in the trust_level_{0, 1, 2} groups.

“everyone” is a special group, not saved in the database, that applies to all signed in and anonymous users.

If you want to make a group denoting the staff of your organization, name it something different, like “openmrs staff”. The “staff” group is all of the forum admins and moderators.