I want to escape by default, to prevent accidental XSS. If you intentionally want to allow scripts then you should use double curly brackets
I think its something I would rather break today than worry about it in future
A bunch of you have been wanting updated privilege controls now, mostly because setting even remotely complicated permissions required a whole lot of clicking to open dropdowns, select/deselect, and even just to check the status of permissions.
There was no way to get an overview of all of the privilege settings for a category, which made the system a bit annoying to use.
We've updated the privilege interface in the ACP for v0.7.0, so it should be easier to get an at-a-glance view of the settings:
Astute users will also notice that the "Group" table also has a new privilege called "Moderate". This new privilege will allow you to make entire groups moderators, instead of manually adding users one-by-one and granting them the "Moderate" privilege. This feature is in beta -- let me know if you run into issues with it!
As with many aspects of NodeBB, we strive to make it simple and straightforward to use. We've had a lot of internal discussion about whether this system makes sense (especially compared to systems from different forum platforms), so we'd also like to hear your feedback regarding that as well.
Simple does also mean NodeBB gives you space to shoot yourself in the foot. If you grant the "Moderate" privilege to a group, and that group is not private, then anybody can join that group and get moderator privileges to that category! Open to comments on how to avoid this.
@julian I wanted to ask this for sometime... what's the "Find Category" access for?
The "Find Category" permissions allows you to fine-tune whether categories are "discoverable".
For example, I remember back in the day there was a secret club that only special members got to post to, called "Area 51". I could see the category on the forum index, but I couldn't go inside. -- that would be "Find Category" checked but "Access & Read" unchecked.
@julian got it
@julian Does changing access for administrators have any effect? I don't see any change.
Nope, I should remove admins from that list..
@julian I think registered-users and guests should be at the top of the list as well.
Few UI issues and suggestions:
Clicking on edit for any category changes background color of "Categories" nav item on left.
Under "PRIVILEGES / ACCESS CONTROL" section, clicking on any checkbox messes the UI ("User" column)
I think there should be an option to remove a user from the user specific access list.
I can't seem to set permissions at user level. It doesn't let me check the checkbox.
@psychobunny added an option to duplicate a category in the previous UI. Are you going to add that in this UI?
Nice, looking forward to a stable v0.7.0
Great..waiting for the same.
Thanks to the team.
Is there any way to remove a group from the list, or re-order the list?
What I would like to archive is:
new users -> no access to category
registered users-> access, create topic and reply
Unfortunately I added the registered users line first, so even new users have access to the category.
It would be nice if a re-order of line with drag&drop would be possible
@wellenreiter The order is not relevant, the privilege code checks to see if you're in any of those groups, and if you are, then you get access.
You'll probably want to uncheck all the privileges from
registered-users..., and add users to a new group as they are manually approved.
Thanks for the fast answers.
I will revoke the post and reply attribute from the registered-users group and create a new group with post and reply permission, where I add users based on some rules.
Problem is solved