Category security takes no notice of manually set trust levels.



  • Continuing the discussion from How do you know if your forum software is TRWTF?:

    @PJH said:

    We've found another bug. Security settings don't take account of your user level if it's overridden by an admin....

    As per quote.

    1. Bugs was set so level 0, 1 and not logged in users could not see them, in lieu of a default "dont' display" option.
    2. Previous lurker signed up so they could view Bugs, only to find it's going to take them a fortnight to progress to level 2 so they can read them again
    3. I manually change their trust level from 0 (or was it 1) to 2 with the expectation that they'd be allowed to view bugs
    4. This manual setting is ignored and they cannot view bugs.

    Impersonating them, I find that (as it does with my level 1 user):

    http://what.thedailywtf.com/category/meta/bug takes me to a blank screen, no "Not allowed", no 404

    Random bug topic http://what.thedailywtf.com/t/http-what-thedailywtf-com-my-inconsistent/791/4?u=pjh generates "Sorry, you don't have access to that topic!"



  • .. and even after

    • I changed the security to add level 1 (my level 1 user can view bugs now)
    • the user has passed the criteria to be level 1

    they still can't seem to see bugs... (I certainly can't when impersonating them.)



  • This looks like a bug with the auto-generated Trust Level groups...

    Hmm, @sam @codinghorror - is there any way to make these groups such that they don't need to even be saved to the database? Because right now there's a table with a ton of entries that just serve as indices for people of certain trust levels, and it feels a bit like dead weight that could be solved with dispatching magic or something.


  • Banned

    Yes, this has been a known issue for a while -- manually setting someone to a particular trust level does not seem to trigger all the right events for permissions.

    @pjh is there any goal to this security change on the bugs category other than testing? E.g. is there some desired outcome? Right now the permissions are a bit odd, it just means trust level 0 users can't see bugs.



  • @codinghorror said:

    @pjh is there any goal to this security change on the bugs category other than testing?

    Of course there fucking is.

    Read why this is an issue to begin with - I (well someone else, but I saw their point) wanted to hide this category to new users, but one such person actively wanted to read them. Trying to allow them access raised this as a problem.

    The fact that there's no way of hiding a category by default meant that this was the only way of achieving what was needed, and since support was lacking when help was asked for meant I had to try this way.


  • Banned

    @PJH said:

    The fact that there's no way of hiding a category by default meant that this was the only way of achieving what was needed, and since support was lacking when help was asked for meant I had to try this way.

    There is, I can easily suppress a category from the latest list, but it seems the community are a bit split about it.



  • @sam said:

    There is,

    How interesting. Which part of the Admin section should I have been looking in?


  • Banned

    Its a messy hidden feature, but you can see it in action at: http://discuss.howtogeek.com/ ("Computer Help" is yanked out of latest and given its own tab)


  • Banned

    We could make it more visible by putting a "hide category from homepage" checkbox on the category edit.


  • Banned

    Yeah, it does make sense to surface this better.



  • @sam said:

    Its a messy hidden feature

    Totally discoverable then... meanwhile I have one very pissed of lurker.


  • Banned

    I can fix this for you, make bugs public and suppress from the latest list, just give me the order ( http://what.thedailywtf.com/t/poll-remove-bugs-from-front-page/851 )



  • @sam said:

    make bugs public and suppress from the latest list

    Still waiting for instructions on how I can do this....

    I've reverted the permissions so everyone can see it now.


  • Banned

    @PJH said:

    Still waiting for instructions on how I can do this....

    This is the format, but be sure to get casing right



  • @sam said:

    This is the format, but be sure to get casing right

    Doesn't that hide it for everyone?


  • Banned

    @PJH said:

    Doesn't that hide it for everyone?

    Yes that would suppress it from the list for everyone, but it would be accessible from http://what.thedailywtf.com/categories

    Are you trying to remove from the list just for new users? And still allow them to access the stuff.

    We would either need a plugin or new feature for that.



  • @sam said:

    Are you trying to remove from the list just for new users? And still allow them to access the stuff.

    Yes. Read the conversation discourse that brought up the issue.


  • Banned

    I follow, we need a new feature for that, I can have a look in what is involved next week, if I can add it in without major amount of refactoring I will do so (maybe even just as a TDWTF plugin you folks can use to customise the instance).

    I think a plugin is actually perfect cause then we avoid even needing a UI for it, just hardcode a patch into the plugin or something.



  • Am I missing something? Wouldn't fixing the outstanding bug in the trust levels (a system which works perfectly for this use case barring said bug) be a much better investment of time? We don't need a new feature, we just need that fucking trust level bug fixed so that the current solution works.



  • @dfcowell said:

    Wouldn't fixing the outstanding bug in the trust levels

    Far too easy it would appear... Or not interesting enough.

    One of the two.

    Also ignores the fact that one user level 1 could access the category on the old security settings, and another level 1 user could not. Either that or the 'impersonation' feature is also buggy....



  • @PJH said:

    Far too easy it would appear... Or not interesting enough.

    I remember @codinghorror saying that this community and its feedback was a good kick in the pants to get them ready for v1.0 - consider this a kick in the pants for getting the forum's ACL - something even phpBB gets right (shock!) fixed for said version, as opposed to a request to burn more time on a pointless sidetrack, @sam.


  • Banned

    @dfcowell said:

    We don't need a new feature, we just need that fucking trust level bug fixed so that the current solution works.

    @sam said:

    Are you trying to remove from the list just for new users? And still allow them to access the stuff.

    @PJH said:

    Yes.

    My understanding is that you still want anonymous lurkers to be able to read bugs, if you want that, you are talking about a new feature.

    Filed under: yes I am going to fix the trust level group mess and write a job to backfill the fix



  • @sam said:

    My understanding is that you still want anonymous lurkers to be able to read bugs, if you want that, you are talking about a new feature.

    If you do what @PJH suggested and read why it's an issue to begin with, or take @codinghorror's advice and read a whole thread before replying (I think that's one of the core problems he's trying to solve with Discourse,) you'd see that we don't want that particular category of user to see it. We just want to allow one user to bypass the "waiting period" or "relief period" or the "gentle don't-shove-bug-reports-down-the-throat-of-every-new-user period" by manually promoting them to a level that sees the bugs.

    This whole thread would have been a non-issue and been over after the first post if you stopped trying to analyse how we're using your product wrong for a change, take the fucking bug report at face value and fix it.

    This isn't infinite scrolling, this isn't a preference or holy war, this is an existing feature that we used to solve our own damn problem the right way not working as designed.



  • As a software engineer who has participated in quite a few "problem solving (email) lists" along with 'real world problems' I'm quite accustomed to asking 'why do you want to solve that solution, and for what problem is it for' when some naive person has decided on a solution that is entirely wrong for the - unstated - problem.

    As a result, I normally try to state the problem I'm trying to solve, as well as my proposed solution for the problem.

    Which appears to have spectacularly failed on this occasion, since the latter has raised a legitimate bug, and people are ignoring it and are fixating on the former.


  • Banned

    @PJH said:

    Which appears to have spectacularly failed on this occasion, since the latter has raised a legitimate bug, and people are ignoring it and are fixating on the former.

    1. Slowly , which lurker is now trust level 2? I need to look at the account

    2. There is this long standing bug I want to fix https://github.com/discourse/discourse/pull/2323 , so for the time being you need to set bugs visible to trust level 1, 2,3, 4 and 5

    3. Also, workaround while I fix the trigger, press the "refresh" button on the groups page to recalculate all automatic groups it will fix the issue of the user missing from the group, I just confirmed on dev.



  • @sam said:

    which lurker is now trust level 2? I need to look at the account

    They aren't. This is the problem. They've been signed up for <24 hrs - given the defaults which still hold, they can't be level 2 for another fortnight. And admin-changing them to level 2 doesn't do what it should.

    Hence this bug.

    Kuro is the user concerned, as should have been evident from the topic linked to in the first post. And from the logs.


  • Banned

    @PJH said:

    can't be level 2 for another fortnight

    Yes they can, go to admin user screen. You can boost them.

    EDIT: boosted to trust level 2 and in the trust level 2 group now.



  • @sam said:

    Yes they can, go to admin user screen.

    Ok. Yes, you're right, they can.

    However, changing them to level 2 doesn't impart level 2 abilities, like viewing stuff that level 2's should be able to view.

    Like the bugs category when the security was set such that level 0 and 1 (and '-1') couldn't.



  • @PJH said:

    Ok. Yes, you're right, they can.

    However, changing them to level 2 doesn't impart level 2 abilities, like viewing stuff that level 2's should be able to view.

    Like the bugs category when the security was set such that level 0 and 1 (and '-1') couldn't.

    Which is what this entire (chain of expletives redacted here) thread is about. So I guess we're back to where we started.


  • Banned

    @PJH said:

    changing them to level 2 doesn't impart level 2 abilities

    Yes, its just as though they gained the ability. So slowly, can you recap on what bugs you want me to fix. Its late in a Friday and I am skipping eating dinner with my family for this.



  • @sam said:

    Yes, its just as though they gained the ability.

    Except they aren't gaining the ability. What you're saying should happen doesn't happen as outlined in great detail in the first post of the thread. I don't know if we can slow it down any further. What you are saying does not align with reality.


  • Banned

    @dfcowell said:

    Except they aren't gaining the ability.

    I explained that there is a bug in the refresh logic and am writing a spec to fix it as we speak. I also outlined how @PJH can force a refresh in my post above as a workaround.



  • Great. In that case you're fixing exactly the right bug and you should keep doing what you're doing. :)


  • Banned

    @dfcowell said:

    should keep doing what you're doing.

    I am not sure my wife, son and daughter really agree with you there :)



  • @sam said:

    So slowly, can you recap on what bugs you want me to fix. Its late in a Friday and I am skipping eating dinner with my family for this.

    This bug: Imparting level X on a level Y user should grant level X abilities on that user, regardless of

    • how many topics they've read,
    • how many posts they've read
    • how long they've been viewing topics
    • how many likes they've received
    • how many likes they've given
    • how may (open) flags they have against them
    • how many posts they've made

    In this particular instance, X=2 and Y=0 (or might have been 1 by the time I'd finished messing around.)

    I, also, note that you cannot 'demote' users - level 2 users cannot be set to level 0 for instance.

    Problem that caused this bug to arise: I want to hide, not necessarily disable - but that's the only way I could find to do it, a category from non-logged in users and new users without having to micromange every single other extant and future category.



  • @sam said:

    I am not sure my wife, son and daughter really agree with you there

    Taking that under consideration, as a son of a father who put work first to the detriment of our current relationship, drop this and get the fuck in there with your family. A delay of three days isn't going to hurt on this one. Now we've established the scope, take the night off. Deadly serious about this post.

    I'm not saying anything about you or your priorities, just that we're not worth it. ;)


  • Banned

    I am done for now ... will pick this up Monday

    @PJH we don't really support sticky demotion if users already met the pre-reqs, its a huge can of worms. We do, or at least, should support demotion if a user does not meat pre-reqs for the trust level you bumped them up to.



  • @dfcowell said:

    drop this and get the fuck in there with your family

    Agreed. Whereabouts in the world are you @sam (just out of interest)?

    Filed under: ...and how far are you away from York?



  • @Keith said:

    Whereabouts in the world are you @sam (just out of interest

    Given it was early morning on Friday in the UK when he said it was "late Friday", I'm guessing other side of the world from here, on this side of the IDL - China? Malaysia? Japan? Thailand? :smiley:



  • Maybe Australia or New Zealand? Probably not Australia because he would undoubtedly have been devoured by an enormous spider by now.

    Filed under: Don't click me



  • @Keith said:

    Probably not Australia because he would undoubtedly have been devoured by an enormous spider by now.

    If the dropbears and hoopsnakes don't get there first...


  • SockDev

    I find it interesting to note that this is a problem encountered by all other forum software and they all solve it the same way: regularly assigned groups. While there are instances of promotions, the promotions can be withdrawn again.



  • I have it on good authority (read: myself) that it was 4:30ish in Vietnam when he posted that, so I'd be thinking somewhere East of here.


  • Winner of the 2016 Presidential Election

    @PJH said:

    Totally discoverable then... meanwhile I have one very pissed of lurker.

    This made my day :smiley:
    And allthough I was "one very pissed of lurker" I am now a happy grumpy cat for being able to read the bug-category as well as apparently having skipped one trust level at the same time.It truly is a win-win situation for me :smiley:


  • Banned

    I'm in Sydney Australia


  • Banned

    @Keith said:

    Whereabouts in the world are you @sam (just out of interest)?

    Did he not fill out his location field in his profile? We added it just for you guys..


  • Banned

    I did not, just did now.



  • @codinghorror said:

    Did he not fill out his location field in his profile? We added it just for you guys..

    I did!
    But then someone broke it.


  • Banned

    Doesn't look broken to me! :kissing_closed_eyes:



  • @subscript_error said:

    I did!
    But then someone broke it.

    @codinghorror said:

    Doesn't look broken to me!

    Yep! He broke it:


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.