Security settings for categories don't include higher trust levels

(Tobias Eigen) #1

I have in mind to give access to certain categories by trust level, but this is not working as expected. Although setting up security for categories by trust level is possible in the security settings, it appears that only the security settings you set up for groups actually do anything. If this is only intended to work by group and trust levels is for something else (as discussed here and in other topics linked from there) then the trust level security settings should not be possible.

To replicate:

  1. as admin, create category and set read/post/reply setting for desired permission level (eg trust level 2)
  2. create test user account
  3. log in as admin give test user desired permission level or higher (Eg. trust-level 2)
  4. log in as test user and see that you do not see or have access to the category
  5. as admin, give permission to a group to read/post/reply to category
  6. as admin, add test user to group
  7. log in as test user and see that you do have access to the category

As a corollary bug, I see that when I do not have access to a category but go there by URL I get a while page with nothing displayed. Should be a page not found or you must log in to access type message.

(Jeff Atwood) #2

I think what you’re running into, possibly, is that trust levels must each be granted explicitly to the category, e.g. if TL3 should have access, grant TL3, TL2, and TL1 also.

(Tobias Eigen) #3

Thanks, Jeff. In my case, I don’t want TL1 to have access to the category but do want TL2 and up to have access. I set up permissions that way in the category security settings, and then grant the user TL2 access. The TL2 user can’t see the category. So… a bug?

(Jeff Atwood) #4

Sorry, I meant, grant TL3 and TL4.

As I recall there might be a bug with manually giving people trust level, where they are not “correctly” added to the trust level groups when the action is manual vs. organic promotion.

(Tobias Eigen) #5

you’re right - that works and my test user with only TL2 access is able to get in, now that I have given permission to TL2,TL3,TL4,TL5. Thats’ a bit weird. I guess you know this is a bug but I’d expect everyone above TL2 to have access to a category that I give TL2 access to.

(Jeff Atwood) #6

Not technically a bug since that’s the way it is designed to work at the moment. Changing this to feature req.