• You need 5 posts to download resources. You can only download 2 resources per day. To remove these limits consider upgrading.

XF Implementing permissions across multiple user groups

You Suck

Owner of: https://webflake.org
Feb 20, 2023
Reaction score
Having logged in to quite a few installations to resolve permission issues, it's clear that a lot of people haven't quite grasped the concept.
So here are a few pointers:
1. All members should have the Registered user group as their primary group - that includes moderators, administrators and super administrators. Like so:


2. Configure the Registered user group to set the minimum permissions you want all members to have. Set those permissions you want them to have to Yes, leave everything else at No.
Do not use Never as it can't be overridden, even with an explicit Yes.
3. For any additional user groups, only change the specific permissions which differ from the settings in the Registered user group -- all other permissions should be left at No -- and add members to them as Secondary user groups.
The reason for doing it like this is it makes it very easy to manage every member with a single permission change and is also fundamental to how the user group promotion system works.
For example, let's assume the Edit own post permission is not permitted for regular members - so set it to No for the Registered user group.
Then if you have a trusted user group which is allowed to edit their posts, just set that specific permission to Yes, leaving everything else set to No.
So it's just a single permission change in that group and any members you now wish to be able to edit their own posts, you just add them to the group as a Secondary user group.
However, let's take another scenario.
Let's assume for some reason you have allowed members the ability to delete their own posts but now you want to stop that. As everyone is in the Registered user group as the primary and that permission is set to Allow, to remove it from everyone all you need to do is set it to No.
If you have members in different user groups as their primary or have that permission set to Yes in more than one user group, then it won't be quite so simple to do that -- you would have to do it for every user group.
Here's an example using the actual permissions from my own site.
Members in the Registered user group only and not in any secondary groups can't delete or edit their own posts:


Those in the Trusted member user group can though:


So the combined permissions for someone who is in both user groups, equates to this:


I don't need to explicitly set everything to Yes in the Trusted member user group as those permissions are already set in the Registered user group and the permissions from both user groups combine to create a single permission set.
The same principle applies to any additional permissions and user groups.
It also applies to nodes, just allow or revoke specific permissions for specific users or groups as required.
The more user groups you have, the more beneficial this approach becomes.
I have 20 user groups for example, but I can disable a specific permissions for all of them with a single click in the Registered user group.
So the cumulative permissions feature is very powerful and makes it extremely easy to mass manage permissions, if everything is configured correctly.