Permission system change

NodeBB Development
  • tldr

    Permission system changed. After upgrading to 0.6.0 check your group permissions to make sure they are correct.

    Long version

    This is not really a breaking change so I am just posting here.

    Related GH issues and

    Previously if no options were ticked in the manage>categories permission dropdown it meant registered users can find, read, post topics and replies while guests could only find, read but can't create topics or reply. This was confusing as all the checkboxes were unticked. Also as soon as you ticked the permission for one group the other groups lost that permission.

    From now on what you see in the permission drop down is what you get. If all checkboxes are unticked no group has permissions, if only one of them is ticked only that group has permissions and so on. Administrators are an exception so even if you remove their tick in the dropdown they can still access and post, so I'm not sure why we have admins in that dropdown ๐Ÿ˜†

    On a new install NodeBB will give all permissions to administrators and registered-users groups. When you create a new group from the ACP that group will not have any permissions so it is up to the forum admin to assign proper permissions.

    The upgrade script will go through all categories and groups and assign permissions if there are no permissions set. This is to mimic the previous behaviour. So after upgrading to 0.6.0 you should go through your categories and make sure correct permissions are set for guests and possibly double check other groups.

    Related commit

  • Excellent. This makes much more sense ๐Ÿ˜„

  • Thanks for doing this @baris ๐Ÿ‘ -- hopefully we won't get complaints that it is confusing anymore ๐Ÿ˜„

    As for why administrators is there, they only apply if you want to give admins read/write rights to a category that nobody else has, like a secret forum for admins only :shipit:

  • Well I think those settings don't have any effect because of the other admin checks we have in here :

    If the user is an admin or mod for that category then the group permissions don't matter for them.

Suggested Topics

  • 2 Votes
    10 Posts

    account/edit.tpl form is still coded in older bootstrap style ยท Issue #9364 ยท NodeBB/NodeBB

    The template and client-side parsing logic has not been changed in about 6 years. It looks to be BS2 code. It is also not flexible enough and makes themes adding profile fields harder than necessary. A theme would need to edit the templa...


    GitHub (

  • 1 Votes
    3 Posts

    I think I have discovered another breaking change that you didn't mention, though it is probably super-niche.

    This commit:
    broke our custom SSO plugin. The result was that after successfully logging in our external identity provider and being redirected to our Forum's callback endpoint, I was ending up not logged in (the button in the header still said "Log in") and stuck on /register/complete roadblock. It looked like our Passport strategy verify callback, that parses output from the identity provider and fetches user data via OAuth2 was not invoked at all.

    It turns out that the changes in this commit don't play well together with passport-oauth2 ( internal ability to protect against CSRF (which we were using). This strategy was already using state parameter to pass its own CSRF token. I don't have more time to investigate but I suspect things shipwrecked when NodeBB overwrote the state parameter with its own CSRF token.

    Turning off passport-oauth2 internal CSRF protection (by removing state: true from its options) fixed the issue.

  • Category Permissions

    NodeBB Development
    0 Votes
    1 Posts

    I'm working on a plugin that programmatically adds group and/or user perms to a dynamically created category.

    I mimicked the call used in the write API, but I'm not sure I'm constructing the perms correctly - and that still doesn't answer the issue of single user perms for a category.

  • 0 Votes
    8 Posts

    @julian WTF!!! even better!! ahaha!! this gets better everytime!.... my only gripe is that persona stinks on Windows Phones...--> new thread coming on.

  • 2 Votes
    3 Posts

    @baris I started working on a more SEO friendly theme/plugin. I hoped I could keep all the changes within a lavender derived theme, but I cannot. Some changes will be in the core. FOr example, server side rendered pagination. I am looking for some advice on how to coordinate making changes in a theme and core nodebb?