Answered User Group Access

I can't clearly understand user-groups-based access to boards.

After install I have "Forum Members" group that have access to all globally accessible boards. I've added here a "test" user (not admin user, now it is member of "Forum Members" group only).

My "test" user have access all over the forum.
Good, but I want to have some boards that will be accessible to selected user groups only.

First, I have created a new group "OXC":
give it one context "web" "Member - 9999" "Load, List and View"
and a "test" user as "Member - 9999" ("test" user now is member of "Forum Members" & "OXC" groups).

Question: Should I add second context "web" "Member - 9999" "Discuss Member Policy" to my "OXC" group? Seems that is not necessary, but I have to ask to be sure

Then, I have created a standard board "OXC members only".

As I understand there are two ways to edit access to boards:

#1. Components -> Discuss -> Boards -> "OXC members only" -> Edit Board -> User Group Access
And add here "OXC" group.

#2. Components -> Discuss -> User Groups -> "OXC" -> Update User Group -> Boards
And check here boards to access.

Adding "OXC" group to "OXC members only" board settings causes changes in "OXC"'s checked boards - (#1) causes changes of (#2).
But checking "OXC members only" board in "OXC" group settings not causes changes in "OXC members only" board settings - (#2) not causes changes of (#1).
And it not take effect at all - even after value have been saved, when update-user-group-page reloaded it takes value of board settings (#1), not its own new (allegedly "saved") value. Seems that mechanism (#2) is not working?..

Alright.. let's simply add a group to our board (#1). Save, clear the cache, flush permissions - new settings displays successfully on both pages. But "test" user still do not have access to "OXC members only" board. While Admin and Guest do have! Smiling through tears))) Exactly the opposite result)) What I'm doing wrong?

Update


When I'm assigning access to "OXC members only" board for "Forum Members" group it works fine. Guests do not have access to "OXC members only" board; logged-in users ("Forum Members") do have access.

Hmm.. It makes me think, that it is something wrong with my newly created group. I tried to add a second context "web" "Member - 9999" "Discuss Member Policy" to my "OXC" group, and to change the only "web" context of "OXC" group to "Discuss Member Policy"/"Discuss Moderator Policy"/"Discuss Administrator Policy", and even to remove all contexts from "OXC" group - no effect. Other settings of "OXC" group are the same as in "Forum Members" group. I don't understand... [ed. note: Alexus last edited this post 11 years, 2 months ago.]

Did anyone else tried user groups access? Nobody? Indeed??

Thanks a lot!

Sooth to say, it was not the answer, but it pushed me in the right direction Yes, I'm always works with test user in another browser, that is not logged into the Manager. But there is one thing that confused me and led me to conflicting conclusions.

When I'm adding a "test" user into "OXC" group - everything works fine, "OXC members only" board appears and "test" have access to it.
But when I'm deleting "test" user from "OXC" group - "OXC members only" board do not disapears, "test" user still have access to board that should be closed for him now. Even "flush permissions" does not help. Only logout and login "test" user. Seems that it is some kind of small bug? Is it related to user sessions, and related to Modx core, not Discuss addon?

Upd^
I want to try modified sessions as described below and learn more about this user group access mechanism:
http://develop.modx.com/blog/2012/04/05/new-for-2.2.1-session-less-contexts/ [not what I need]
http://habrahabr.ru/sandbox/43175/
Some kind of deleting user groups from user session will suit most of my projects, but it will be fine to have improved session mechanism to achieve correct and instant work with user-group-access in further. [ed. note: Alexus last edited this post 11 years, 2 months ago.]

You often need to also Flush All Sessions when changing security permissions.

As a variant, yes. But is not very convenient. User logged into the site, make some quest to get membership. Ok, I'm adding him to new privileged group. And then should I say him to re-login? Personaly to every new member? Or should I "Flush All Sessions" - but it will logout all innocent users too)) No, it is not convenient for active communities that have frequent transitions of users from group to group.

I'm pretty sure you can add the user to a group in code without flushing anything as long as the permissions are already set up:



You should only need to flush sessions when you alter the ACL entries. I could be wrong.

Yes, I was thiking about creating front-end admin page where I can manage users groups. I did not try yet, but I think I should add a few more code:

You shouldn't need to save the user (though that might refresh the user's permissions - not sure). joinGroup() and leaveGroup modify and saves the user group member intersect object, which is the only place the membership info is stored in the DB.