Disallow and Deny - What's the difference when it comes down to permissions

From Online Manual

Jump to: navigation, search

SMF uses an "inclusive" permissions system. This means that the permissions are normally "additive". If a member belongs to two membergroups, and at least one of them is allowed to do something, then that member will be allowed to do that, even if the other membergroup is not allowed to do that thing.

Inclusive Permissions

Here is an example of inclusive permissions:

  • The "Official Announcements" board permission profile is used on the "Club Announcements" board.
  • In this permission profile, membergroup "Club Officers" is allowed to post new topics without approval, but the membergroup "Club Members" is not allowed to post topics without approval.
  • Therefore, if a member belongs to both "Club Members" and "Club Officers", then the member is allowed to post new topics on the "Club Announcements" board without approval.

The Deny Permission

The Deny permission was added in SMF 2.0 to overrule a permission allowed by membership in another membergroup. If a member belongs to a membergroup that has Deny chosen for a permission, then that member will not have that permission, even if that member belongs to another membergroup that has Allow chosen for that permission.

For example:

  • The "Default" board permission profile is used on the "Club Chit-Chat" board.
  • In this permission profile, membergroup "Club Members" has the permission Allow to post new topics without approval, but post-based membergroup "New Member" has the permission Deny to post new topics without approval.
  • Therefore, every user in the membergroup "New Member" will always need approval on posts in the "Club Chit-Chat" board, even if they are also in the membergroup "Club Members".

Enabling the Option to Deny Permissions

To enable Deny permissions, go to Permissions Settings and check the box for Enable the option to deny permissions. Deny permissions can be difficult to keep track of. Use them sparingly to avoid confusing problems when members belong to more than one membergroup. The Deny permission is not available for the Guest pseudo-membergroup because guests never belong to any other membergroup.