xoops 2.4.4

We have a group NPM for people we don't want to have access to the PM system. That part is working, however these users can't access our FAQs or articles even though those are open to all even anon users.

In the FAQs if we set the access on each entry, access is granted but this is clearly the wrong way to manage access.

http://foreverpurple.com/images/permissions.PNG

Mosttimes the registered users defines the common access.
Special groups defines their additions.
The users get automatically in the registered groups and are added to special groups as required.
The permission system is cumulative, so these users gets their base permissions + the permissions of the special group(s) they are member of.
In your case, this means that registered users should not have access to PM, and that this is granted for users that deserve it and they become then member of the PM group, which allows PM's by enablinging the module access for module PM. When these users are member of a special groups, you could also enable it for these groups.

If there are only few users that may not PM (Is there a reason for doing so?), then you have to duplicate all permissions of the xoops system (see your image, except of course PM) and also theones inside the modules as eg News category access of the registered users group for the NPM group. These users are then member from the NPM group but not from the registered users.

This could be an interresting thread

The question is:
How do you manage permissions, user-groups and users?

As I see it, you want to ad users into groups and add permissions to groups. One user one group.
If a members don't want to have PM, you move them from "Registered users" group to NPM group - is that right?

That will kill you in user-administration (depending of the amount of users)

If XOOPS did have a deny-permission you could add a deny permission for PM module in the NPM group and add that group to users there don't want PM.

My advise (and best practice in RBAC)
Let all users be "Registered users" and remove PM from "Registered users" group.
Create a PM group with access to PM module.
Add all users to PM group (one user -> many groups)
If someone don't want the PM, you just move them out of the PM group.

A question somewhat related to this is how do you actually disable someone from showing up in the list of users you can send a PM to?

AFAIK regardless of the status of a user (active/inactive) or group access, the user will show up in the recipient list.

A bug, a missing feature, or is it just me? Is there any other PM module that actually addresses this? It's pretty confusing to list users not having access to the PM module as possible recipients.

Our membership is relatively small and the group of users that are NPM is a small portion.

It seems like more administrative work to create a PM group and add 95% of the members back to this group to give them PM access. Is there some way to do a bulk change?

We have had a few teens that abuse PMs and in the past month a few questionable members who may have joined solely to harvest members.

I believe this was working fine before we did the last XOOPS upgrade.

Quote:Giving in all modules the permissions to the NPM group, may also be some administrative work, but then you have only the bad users to move.
Quote:Then a NPM group would be best, but for abusers, I recommend to throw them out completly.
Quote:What do you mean by 'this'?

I mean that I'm fairly certain the NPM users group had no problems accessing all the modules before we did our last upgrade. I didn't hear that it was an issue till after we went to 2.4

yes if the new members are truly abusers they will be banned but until we know who is joining for legit reasons versus non legit we are making new members NPM for right now. This just started in the past month or two mind you, never been an issue in the past so its not been standard practice to place someone in NPM. Prior to this I believe we had TWO users in NPM.