Solving phpBB forum permission issues

I have noted before that phpBB’s permission system is awesome. In one way though it’s a bit defective: it’s hard to troubleshoot issues with permissions, particularly forum permissions.

In this post, I’ll delve into solving forum permission issues. The general problem is that a user typically belongs to more than one group and different groups can have different forum permissions. If you are unfamiliar with the basic phpBB groups, you might want to read this post first. You can also create groups of your own and set forum permissions to those groups.

To solve these issues, you generally you need to start with a test case. This part at least is pretty easy because you usually have a user whose permissions are not working correctly, so you just need their username. You also need one or more forums where their permissions are off. You also need to know what permission isn’t working right, such as permissions to create new topics or reply to topics.

If you dig into phpBB’s documentation, it becomes a little clearer. On permissions, the documentation says:

  • YES will allow a permission setting unless it is overwritten by a NEVER.
  • NO will be disallow a permission setting unless it is overwritten by a YES.
  • NEVER will completely disallow a permission setting for a user. It cannot be overwritten by a YES.

So essentially when the NEVER permission is set, it becomes a blocker overriding any other permissions.

Seeing all forum permissions for a user, forum and permission type

How do you see these forum permissions? You need a tool. The good news is that phpBB has just such a tool. The bad news is that they bury it. In fact, it could not be harder to find. In this example, I will use my development forum to see forum permissions for myself.

  1. Go into the Administration Control Panel
  2. Select the Permissions tab
  3. On the left sidebar, go way down to the bottom. You want View forum-based permissions. Click the link.
  4. Pick the forum or forums you want. In this example, I chose the “Your first forum” forum created by default when you create your board. I then pressed SUBMIT.
  5. Now I pick the user. There are various ways to do this with the interface for both users and groups. In this case I choose myself, with a username of “Mark D Hamill”. I entered the username in the “Find a member” field and pressed the View permissions button below the field. This brings up the Viewing permissions page. The colors you see on the permission tabs may vary from mine where the green boxes in each of the tabs basically say “This user or group has YES for ALL permissions under this tab”. Red means “This user or group has NEVER set for all permissions under this tab”. Blue means “This user or group has a mixture of permissions for the permissions in this tab.”
View permissions page
View permissions page
  1. I now want to check out a particular permission. You may have to hunt for the permission you want to check for the user and forum as it may be on a different tab. There is a tiny little icon to the left of each forum permission. That’s what you need to click on. In this case I want to see how permissions are determined for the Can start new topics permission.
Selecting a permission to check
Selecting a permission to check
  1. This generally brings up a popup window. If you don’t see a popup window, you may have to tell your browser to allow popups for the domain. Finally this brings up a useful screen:
Viewing a particular permission
Viewing a particular permission

Now you can see what’s going on for this particular user’s forum permission. Since I am both an administrator and a global moderator, I belong to both those groups, each of which has a group forum permissions too. By default, NO access is allowed to the forum for a user, so it is the first permission. But it is set to YES for Administrators, so the logic continues and the next group is tested. It is set to YES for Global moderators too, so the net permission is still YES. It is set to YES for registered users in this forum too, so it’s still YES. Finally, it looks for any user-specific forum permissions. None were granted, so this permission is NO, but since it is NO and not NEVER the overall YES permission still applied.

Fixing the underlying permission issue

With this tool, you should be able to determine where the root of the permissions issue lie from the variance from an expected permission from the actual permission. It’s usually a group permission that needs changing. The most likely solutions are:

  • A NO permission should be NEVER
  • A NEVER permission is blocking everything so it should be changed to NO
  • A NO or NEVER permission is incorrect and should be YES

So adjust the group or user permissions for the forum privilege accordingly. You can use this tool to check to see if the result is correct, or use the feature in the Administration Control Panel to test out a user’s forum permissions.

Usually in these cases, you cannot use the built-in forum roles. Rather you have to click on the Advanced link for each forum and group and change permissions that way instead.

In some cases, you can adjust the permissions for a forum role and have them trickle down accordingly, avoiding the need to use the advanced link when setting forum permissions. I’ll leave you to investigate this option if you want instead. It can get a little hairy to change these because it affects all forums where these permission roles are used.

Setting user-specific forum permissions is always a bad idea. Remove them if you can, and place these forum permissions in groups you create instead. Add people to these groups as necessary to get the desired behavior.

The newly registered users group permission quirk

There are some things that are definitely peculiar about phpBB’s permission system. Newly registered users are also in the registered users group. To start, this makes no sense. In the case of this user, “tester66”, because he is in the newly registered users group, the forum’s permissions for newly registered users does not allow them to start new topics. But because they actually are in the registered users group too, they can start new topics, the exact opposite of what you would expect!

Newly registered users permission quirk
Newly registered users permission quirk

How do you solve this problem? You have to set the permission to NEVER for the newly registered users group by using the group forum permissions function. In it you select the Advanced link to fine tune the permission. After changing the permission, you can see the result:

Fixing the newly registered users group quirk
Fixing the newly registered users group quirk

 

January 2019 work summary

I was on vacation January 5 – 18 so you would think work would slack off this month. But while I was gone a queue of work developed. I was kept reasonably busy when I wasn’t touring Ecuador and the Galapagos Islands. In short, despite taking two weeks off, I made my revenue goal for the month thanks to customers who waited patiently for my return.

  • An old phpBB 2 forum on an old free host was somehow upgraded to a newer version of PHP. That caused the old forum to mostly stop working. Many screens were garbled or content was hidden or inaccessible. I was able to infer the phpBB 2 URL for downloading the database by doing a test on my laptop. This allowed me to download the database, but the avatars (since they were images and no FTP was available) remained inaccessible. I was then able to convert it to a phpBB 3.2.4 database which I placed on my domain in a folder for the client to inspect. Currently the client has a converted database that they can move to any host. They have not asked me to take this next step, at least not yet.
  • Updated a forum from phpBB 3.2.3 to 3.2.5. When I tried to make a database backup, I downloaded it and discovered that it was not complete. This was due to annoying shared hosting timeouts on Bluehost, which really metes out resources sparingly to clients, one of the reasons I urge clients to avoid companies owned by the Endurance Group like Bluehost. I eventually made a set of backups by making slices of certain tables using phpMyAdmin. In short, this relatively simple upgrade was something of a pain, mostly because I won’t do an update unless I have a complete recovery path. I had to change the logo size in common.css to put the old logo back. The client’s Advertisement Management extension needs an update, which I later updated.
  • Troubleshooting. A client complained about spam they were getting. This is probably because Contact form was enabled but the enabled Cleantalk extension was not checking it. I enabled Cleantalk to check it. Next was a complaint about users not being able to pass reCaptcha. I created a new set of reCaptcha keys, but this one used the checkbox Captcha that phpBB 3.2 supports, and deleted the old one. Their [youtube] and [vimeo] BBCodes were not embedding properly. I installed the Media Embed extension and disabled the [youtube] BBCode by renaming it so I could use it with Media Embed extension. Vimeo has similar issue but I left that untouched. 248 Youtube and 105 Vimeo embeds were affected. I noted that anyone could edit their own posts to fix the embed issue and provided instructions.
  • What looked like a newly upgraded phpBB 3.2.5 forum needed styling work to make it match a larger website (they were using prosilver). After going through the available styles with the client, he agreed to and I installed the ne_blackgreen style which I then proceeded to tailor to make it match the larger website. I concentrated on header and footer changes to the pages. For the header, the client wanted three image areas across the top, evenly spaced, left side pushed left, center centered, right pushed right, of equal size. I made it responsive … was in previously in a HTML table that was not responsive and did not look good on mobile devices. I installed the NavBar Search extension to put the search bar on the navigation area so I had the full header available. For the page footer, I was asked to add some standard text. I removed many HTML validation errors from using old HTML. I converted the old HTML tables to responsive <div> tags. I changed the PHP version from 5.6 to 7.1. I tried to change the spambot countermeasure to use reCaptcha but it gave a HTTP 500 error, so I reverted to Q&A spambot countermeasure. Forum pages are now responsive. The larger website is still not responsive. This could be take up as a future project. I changed user registration settings to allow people to respond to an email link to complete registration. I changed the base font size to 13px. Added 1cm padding to the top and 2cm padding to bottom. Later, I did another hour of style tweaks, principally to make it look good on mobile devices. There were annoying issues with CloudFlare and no way to refresh its cache, so I had to wait to see changes. Cloudflare was eventually removed by the client.
  • I updated a forum from phpBB 3.2.3 to 3.2.5. I had to reapply one style change to common.css, otherwise it was an easy and normal update with no issues. Afterward, there was an issue with a phpBB Gallery error. I removed the cache file that reported the error and the error went away. I updated domain from PHP 7.0 to 7.2 so user avoids extra fee.
  • I upgraded a forum from phpBB 3.0.13-PL1 to 3.2.5. I started with the default prosilver style, but soon moved to Orange BBE style. I made some customizations. I moved the search interface to navigation bar. I had to resize the logo to 50% of its previous size to make the logo responsive to mobile devices. At screen width of under 700 pixels, I swapped in a logo that was one third of the original logo size. I installed the advertisement management extension because the client was previously using the mod and had ads to be ported. Because MySQL tables existed from the mod where the old ads were placed, there were some tables and columns missing causing some errors when the extension ran. It took some analysis to add what was needed to get it to work as an extension without losing the old ads. Basically, I had to add some columns and indexes. I replicated email, FB and donation links/buttons on the navigation bar. I replicated the background image in the style. I installed the mChat extension. I setup reCaptcha V2 as spambot countermeasure. I disabled the contact page as it is a channel for spam otherwise. I changed PHP to 7.2 for all domains. This client had the same UK host as the previous clients, and the host charged extra if they weren’t using PHP 7.2.
  • This client has a busy site and wanted to do an upgrade from phpBB 3.0 in stages, starting with development environment upgrade that had a copy of the production database. I had to use SSH and FTP to do this work. There is no cPanel or Plesk environment available. In the development environment, I upgraded phpBB from version 3.0.12 to 3.2.5. The database upgrade program look about 3 hours to run, and I had to manually create the phpbb_config_text table first. Next, there was style work to match current style, about 3 hours of labor for that. I installed the Tapatalk, Thanks for the posts, Digests, ACP Add User and Google Analytics extensions. I disabled the contact page. I enabled the reCaptcha V2 spambot countermeasure. I added a home link to the navigation bar. While I installed my digests extension (they have the digests mod installed), I did not set up digests cron, but users’ subscriptions were successfully carried over. The Tapatalk extension may not work correctly until moved to production because it’s in use in the production forum. No ForumRunner extension was available so that functionality was lost. I installed the PM Search extension, a release candidate extension. The Thanks for the posts extension may need permissions set up. The client will be doing some testing of the development environment. When complete, I will upgrade the production forum. That work should show up in next month’s report.
  • Someone sent me a $50 donation for my digests extension, a thank you for finally getting it approved (a 3 year effort!) I had no way to thank them for the donation, and I tried to give it to the phpBB group but could not find a way to donate money to the phpBB group, so I kept it. Thanks, donor!