Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-14800

Permission problem in the mcp

    XMLWordPrintable

Details

    Description

      I believe there is the following inconsistency with moderator's permissions.

      Suppose moderators have a permissions to softdelete posts (m_softdelete), but not to delete posts (m_delete).

      That means that they have access to delete button on each post in viewtopic, since in viewtopic.php the permission is checked this way:

      	$delete_allowed = $force_delete_allowed || ($user->data['is_registered'] && (
      		($auth->acl_get('m_delete', $forum_id) || ($auth->acl_get('m_softdelete', $forum_id) && $row['post_visibility'] != ITEM_DELETED)) ||
      		(!$s_cannot_delete && !$s_cannot_delete_lastpost && !$s_cannot_delete_time && !$s_cannot_delete_locked)
      	));
      

      Meanwhile, should they need to delete many posts instead, they go to the MCP (as they used to in 3.0.x). There they can see the topic with checkboxes on each post, but there is no option in the bottom selector for them to delete marked posts (only to merge/split topics, etc). This is because in mcp_topic permissions are checked differently and m_softdelete is ignored there:

      		'S_CAN_DELETE'		=> ($auth->acl_get('m_delete', $topic_info['forum_id'])) ? true : false,
      

      This is inconsistent both with 3.0 behavior (with softdelete mod ofc) and with viewtopic behavior. Please consider fixing this and allowing moderators to mass soft delete messages from mcp.

      Attachments

        Activity

          People

            Unassigned Unassigned
            BioLogIn BioLogIn
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: