I have noted before that phpBB’s permission system is awesome. In one way though it’s a bit defective: it’s hard to troubleshoot issues with permissions, particularly forum permissions.
In this post, I’ll delve into solving forum permission issues. The general problem is that a user typically belongs to more than one group and different groups can have different forum permissions. If you are unfamiliar with the basic phpBB groups, you might want to read this post first. You can also create groups of your own and set forum permissions to those groups.
To solve these issues, you generally you need to start with a test case. This part at least is pretty easy because you usually have a user whose permissions are not working correctly, so you just need their username. You also need one or more forums where their permissions are off. You also need to know what permission isn’t working right, such as permissions to create new topics or reply to topics.
If you dig into phpBB’s documentation, it becomes a little clearer. On permissions, the documentation says:
- YES will allow a permission setting unless it is overwritten by a NEVER.
- NO will be disallow a permission setting unless it is overwritten by a YES.
- NEVER will completely disallow a permission setting for a user. It cannot be overwritten by a YES.
So essentially when the NEVER permission is set, it becomes a blocker overriding any other permissions.
Seeing all forum permissions for a user, forum and permission type
How do you see these forum permissions? You need a tool. The good news is that phpBB has just such a tool. The bad news is that they bury it. In fact, it could not be harder to find. In this example, I will use my development forum to see forum permissions for myself.
- Go into the Administration Control Panel
- Select the Permissions tab
- On the left sidebar, go way down to the bottom. You want View forum-based permissions. Click the link.
- Pick the forum or forums you want. In this example, I chose the “Your first forum” forum created by default when you create your board. I then pressed SUBMIT.
- Now I pick the user. There are various ways to do this with the interface for both users and groups. In this case I choose myself, with a username of “Mark D Hamill”. I entered the username in the “Find a member” field and pressed the View permissions button below the field. This brings up the Viewing permissions page. The colors you see on the permission tabs may vary from mine where the green boxes in each of the tabs basically say “This user or group has YES for ALL permissions under this tab”. Red means “This user or group has NEVER set for all permissions under this tab”. Blue means “This user or group has a mixture of permissions for the permissions in this tab.”
- I now want to check out a particular permission. You may have to hunt for the permission you want to check for the user and forum as it may be on a different tab. There is a tiny little icon to the left of each forum permission. That’s what you need to click on. In this case I want to see how permissions are determined for the Can start new topics permission.
- This generally brings up a popup window. If you don’t see a popup window, you may have to tell your browser to allow popups for the domain. Finally this brings up a useful screen:
Now you can see what’s going on for this particular user’s forum permission. Since I am both an administrator and a global moderator, I belong to both those groups, each of which has a group forum permissions too. By default, NO access is allowed to the forum for a user, so it is the first permission. But it is set to YES for Administrators, so the logic continues and the next group is tested. It is set to YES for Global moderators too, so the net permission is still YES. It is set to YES for registered users in this forum too, so it’s still YES. Finally, it looks for any user-specific forum permissions. None were granted, so this permission is NO, but since it is NO and not NEVER the overall YES permission still applied.
Fixing the underlying permission issue
With this tool, you should be able to determine where the root of the permissions issue lie from the variance from an expected permission from the actual permission. It’s usually a group permission that needs changing. The most likely solutions are:
- A NO permission should be NEVER
- A NEVER permission is blocking everything so it should be changed to NO
- A NO or NEVER permission is incorrect and should be YES
So adjust the group or user permissions for the forum privilege accordingly. You can use this tool to check to see if the result is correct, or use the feature in the Administration Control Panel to test out a user’s forum permissions.
Usually in these cases, you cannot use the built-in forum roles. Rather you have to click on the Advanced link for each forum and group and change permissions that way instead.
In some cases, you can adjust the permissions for a forum role and have them trickle down accordingly, avoiding the need to use the advanced link when setting forum permissions. I’ll leave you to investigate this option if you want instead. It can get a little hairy to change these because it affects all forums where these permission roles are used.
Setting user-specific forum permissions is always a bad idea. Remove them if you can, and place these forum permissions in groups you create instead. Add people to these groups as necessary to get the desired behavior.
The newly registered users group permission quirk
There are some things that are definitely peculiar about phpBB’s permission system. Newly registered users are also in the registered users group. To start, this makes no sense. In the case of this user, “tester66”, because he is in the newly registered users group, the forum’s permissions for newly registered users does not allow them to start new topics. But because they actually are in the registered users group too, they can start new topics, the exact opposite of what you would expect!
How do you solve this problem? You have to set the permission to NEVER for the newly registered users group by using the group forum permissions function. In it you select the Advanced link to fine tune the permission. After changing the permission, you can see the result: