Geeklog Forums

I was having a problem with my blog, www.sixdegreesofsaturation.com, and I thought you might like feedback on the workaround that I implemented.

I am the only super Admin of the site. The only other type of users are Story Admins. My hopes were that users could post their stories and edit them (only their stories). So, I left the default permissions for all postings. The problem is, even though they were owers of their stories, they were not owners of the Topics, nor were they in the Topic Admin group (because I don't want them editing this). Additionally, even if they were in the topic group, they wouldn't have edit permissions (Read-only is the default permission for topics). So, the only alternative I was left with was to give Story Admins read/write access to each topic. But there's a problem here...

In story.php, near line 98, the code first checks to see if you have permission to edit the story. Regardless of the authorization here, the code then checks your Topic permissions.

I was running into a situation where the user had read/write access to a story, but was then being trumped by the fact that they didn't have read/write access in the Topic. Essentially, it doesn't matter what sort of permissions are set on the story, because the Topic always wins. In my previous solution, if I gave Story Admins read/write access to the Topic, they'd all have permissions to edit every story.

So, what I did was add a little logic to skip the Topic permission check if you've already got read/write permissions from the story. I'm sure that this logic will fail in some scenarios, but it works for resolving my problem. Here's the sample code:

$access = SEC_hasAccess($A['owner_id'],$A['group_id'],$A['perm_owner'],$A['perm_group'],$A['perm_members'],$A['perm_anon']);

// If user has been granted access from the story permissions, do not check the topic permissions
if ($access 3) {
$access = min ($access, SEC_hasTopicAccess ($A['tid']));
}

Hope this helps you in some way. Thanks for the great blog system.