Include permissions

[JN-Jones]

We should start to include permissions. A canViewForum has been included but there are several others:

• [x] canPostTopics
• [x] canReply
• [x] canOnlySeeOwnTopics
• [x] canAddPolls
• [x] canEditPolls
• [x] canEditOwnPolls
• [x] canVoteInPolls
• [x] canViewProfiles
• [x] canUseCustomTitle
• [x] canUploadAvatar
• [x] canViewWhosOnline
• [x] canViewMemberlist
• [ ] canViewTopics
• [ ] canOnlyReplyToOwnTopics
• [ ] canUseParsingCode (markdown and mycode)
• [ ] canUseImageCode
• [ ] canUseVideoCode
• [ ] canUseMeCode
• [ ] more existing parsing permissions

Moderation permissions should be included in that PR (eg canSeeDeletedPosts).

[JN-Jones]

@euantorano Shall I also include Parser permissions (canUseMyCode, enableMeCode etc) or do you plan to change the parser package that much that it'd break anyways?

[euantorano]

Include them for now. I’ll mostly just be changing the way the parser does the parsing rather than anything else.

On 7 May 2015, at 10:07, Jones notifications@github.com wrote:

@euantorano https://github.com/euantorano Shall I also include Parser permissions (canUseMyCode, enableMeCode etc) or do you plan to change the parser package that much that it'd break anyways?

— Reply to this email directly or view it on GitHub https://github.com/mybb/mybb2/issues/132#issuecomment-99785563.

[JN-Jones]

How do we want to handle editing permissions: Everyone with canEditPolls and the creator can edit polls or a second permission canEditOwnPolls?

[Destroy666x]

or a second permission canEditOwnPolls

That wouldn't be bad.

I also think there should be canOnlyReplyToOwnTopics which is not listed above.

And I'd change canPostTopic and canAddPoll identifiers to plural for consistency, now they imply that only one topic/poll can be added.

[JN-Jones]

Naming will be changed later, I mainly want the logic included atm ;)

There are some more permissions that aren't mentioned above (eg canUndoVotes), I need to look which permissions exist in 1.8 at some point.

[JN-Jones]

How do we want to handle parser permissions (@euantorano)? When creating a post it uses the authors permissions, that's clear. But how do we want to handle editing posts? Use the original authors permissions? Or the editors permissions? Also should the parser options on a per forum base or a single usergroup setting? And do we want to have special/seperate permissions for conversations?

[JN-Jones]

Other permissions from 1.8:

• Attachments <- Needs attachments first
• canViewIps <- IPs aren't logged at all atm
• canSearchForum <- Do we really need that? Atm it simply uses the canViewForum permission
• showOnMemberlist (more a setting though but we don't have usergroup settings atm and as it's a boolean flag it could be saved as permission)
• isBannedGroup <- That's something @wpillar needs to look at when working on moderation
• canViewClosedBoard <- @wpillar again
• Moderation <- @wpillar
• canEditPosts/canDeletePosts <- @wpillar
• Profilefields <- @wpillar
• Moderationqueue permissions <- @wpillar

I'll start working on this tomorrow if nobody complains about this ;)

[wpillar]

What does the Profilefields one do? It doesn't have a very verbose name, I like the can* naming scheme, would be good for consistency on that. Apart from that it all looks good.

[JN-Jones]

Profilefields (like attachments, moderation etc) is a general heading to show that they lack permissions atm. How you want to name them or whether you implement something on your own (considering that profilefields are dynamic) is up to you.

[wpillar]

@JN-Jones sorry, I thought you were going to add those permissions. If there are moderation permissions you know need doing, could you add them to this issue please? https://github.com/mybb/mybb2/issues/45

That would really help me get everything that needs doing in one place, then I can tackle them all as I go.

[JN-Jones]

Basically the same as in 1.x: canDoXy for each moderation tool, canSeeDeleted, canReplyToClosed (which should be set to true automatically if the user can open/close threads) and for the mcp for all pages canViewModLog etc. At least those are the ones I'm aware of.

[JN-Jones]

I've added the ones I can/need to add to the first post. Would like to have some more feedback on the others and the parser ones though ;)

[ghost]

@JN-Jones @euantorano As of 5.1.11, Laravel introduces an Authorization system based on abilities using a Gate before requests and a policies implementation, IMHO it'd be great to extend the native Authorization system from Laravel, see here

[euantorano]

Yes, we know about this and the plan is to migrate the system to use this. The default implementation in Laravel is slightly lacking, so we'll be expanding upon it significantly.