It's not possible out of the box. The finest level of security is at the forum/group level. You'd have to have individual forums or modify the code to support topic level security. [originally posted on jforum.net by monroe]
I just looked at this briefly but it looks like I have to create this role in the jforum_roles table. Then I modify the permissions.xml to include this role. Once I have this set up, I can then start assigning this new role to a groups/forums. Is this correct?
I haven't looked at the source code but can you give me a rough idea about how difficult this would be to do? I want it set up so that the people using the forum can only see the topics that they post. No change on the moderator side. They should be able to see and respond to anybody.
The reason that I ask is because I'm considering developing this from scratch but since we use jforums here, it makes sense to see if we can adapt it to this. We have done some recoding of the jforum source but all surrounding customizing the login. I currently have no idea how permissions work. [originally posted on jforum.net by hmppi]
A lot of this depends on how you are going to integrate this with JForum. If it's a special forum among other forums, you will have to look at all the places that a topic thread can be exposes. E.g., the search feature, RSS listing, recent topics, profile "posts by", and the like. Somewhere, the code for these currently does security checks. Generally based via the PermissionControl object's canAccess methods. These security checks would need to be expanded to check for your new security role.
On big issue to figure out is how to grant the owner's specific rights. JForum's security model is based around groups having permissions and not individuals. So you may have to create groups for each user in some automatic fashion.
That said, if you are not too concerned about security, you might be able to "fake" this by just having an trimmed down instance of JForum without searching, profile, etc and a custom template that just lists the topics based on the logged in user id. The problem with this is that it's security by obscurity. Someone can still play games with the URL numbers to access threads they can't see. [originally posted on jforum.net by monroe]
This will have to be a special forum among other forums. What I was thinking was having a new role let's call it perm_see_own_topics. This role can be assigned at the group/forum level and when it's assigned, the members of that group can only see there own topics within those forums. The moderator of the forum will belong to a separate group where this role has not been assigned. Does this sounds like it will work or am I misunderstanding permissions?
I didn't think of the other stuff (search, recent topics...) so thanks for the heads up. [originally posted on jforum.net by hmppi]
It's do-able but you'll need to find the right spots to add in the checks and have all the needed info to make that decision, e.g., the topic id, the topic poster, the current user, etc.
Just be warned that some of the security code can give you a big headache trying to walk thru it... especially the code that combines all the user's group rights. But you probably won't have to go there.
FWIW, if you deny everyone but the moderators and posters access to this group, that will limit the recent, search, etc.. problems to just those two groups. [originally posted on jforum.net by monroe]