Fix buggy allauthusers permissions #194
Conversation
When a logged in user does not have a group with rights on forum X, the all_authenticated_users permissions for forum X were not taken into account. Add a test to prove this bug and fix it by taking a block of code outside of the if that checks if there were group permissions on the given forum, but keep it within the if for not self.user.is_anonymous. Closes ellmetha#193
To be able to take into account the per_forum_nongranted_all_users_permcodes when making the final granted_user_permcodes list, we need to move the block that computers this list to the bottom of the whole get_perms_for_forumlist function. We also add a test to ensure that all_authenticated_users permissions take precedence over the default_authenticated_permissions (which possibly come from settings), which is now the case by doing to code move mentioned above.
The test class sets the can_see_forum permission in DEFAULT_AUTHENTICATED_USER_FORUM_PERMISSIONS at setup. To make the test test_knows_that_alluser_permissions_take_precedence_over_alluser_global_permissions more transparent we do not use can_see_forum to check here but can_edit_own_posts. Effectively ignoring (not using) the default permissions setting for this test. Using can_see_forum obscured the bug in ellmetha#193 because the default permissions set it to True, passing the check in this test which would not have passed with a different permission to check that was not elsewhere set to True.
There was a problem hiding this comment.
Your latest commit of moving stuff to the end broke permissions on my site causing all forums to not-appear. Also: I am still having a problem where forum-categories as a whole are not appearing and/or are appearing as empty. I have no settings concerning these categories but they don't appear at all unless I do. Strangely, not every forum group is like this. After applying the patch, anonymous users saw "no forums." Right now I'm struggling with the problem that some forum-groups show all entries, some are listed but have no content, and some do not appear at all.
KEY DISCOVERY: If a user is "authenticated" but not in any group, he does not see any forum or forum-group which occurs AFTER a forum or forum-bar for which (login) group rules have been defined. They do not appear at all if the user is authenticated but not part of a group. This is the (buggy ...) rule that prevents them from appearing.
Thank you for your testing and feedback. However, I do not seem to be able to reproduce this problem. I'm not totally clear on the issues you're describing. Because I have just tested with this setup: categoryforum 1 categoryforum 2 Permissions: categoryforum 2: all_auth_users may see and write Then a logged in user that is not in any group can see categoryforum 1 and it's content (2 subfora) and see the bar of categoryforum 2 (but not subforum 2.1). So there is a group-permission in place on categoryforum 1, as you describe in your bug report. But still my logged in user (not in any groups) gets to see the bar for categoryforum 2, as expected but if I understand your bug report right then you do not get to see categoryforum 2? |
Fix bug in #193 and update/add some tests that could've found this bug.