MyBB Documentation

Permissions

MyBB relies on numerous settings, permissions, and quotas that can determine board functionality. These can be configured through:

  • global board settings,
  • individual forums’ settings,
  • individual users’ permissions,
  • global user groups’ permissions,
  • user groups’ permissions for individual forums,
  • visibility states of threads and posts.

While permissions checks related to specific actions (that result in data insertion or modification) are usually simple, resolving read access within the forum hierarchy may involve checking multiple unrelated entries (e.g. search results) and their parent hierarchy against multiple users’ permissions (e.g. thread subscribers).

Missing or incorrect permission logic can compromise the board’s integrity and confidentiality, and may be considered a vulnerability.

Permission Controls

User Groups’ Forum Permissions

Permissions of members of user groups in individual forums are stored in mybb_forumpermissions database table columns as 0 or 1, with rows identified by:

  • the group ID (gid), and
  • the forum ID (fid).

Permissions related to read access include:

Name 1 Meaning Conflict Resolution
canview Can view forum (subforum list, rules, announcement list) if and only if any 1
canviewthreads Can view threads and announcements if and only if any 1
canonlyviewownthreads Cannot view threads created by other users or by guests if and only if all 1

This data is cached in the forumpermissions datacache.

Moderators’ Forum Permissions

Permissions related to forum moderation are stored in the mybb_moderators database table columns as 0 or 1, with rows identified by:

  • the user or group type (isgroup: 0 or 1), and the ID of the user or the user group (mid), and
  • the forum ID (fid).

Permissions related to read access include:

Name 1 Meaning Conflict Resolution
canviewdeleted Ability to view soft deleted content if and only if any 1
canviewunapprove Ability to view unapproved content if and only if any 1
canviewips Ability to view IP addresses if and only if any 1
canviewmodlog Ability to view moderator logs if and only if any 1

This data is cached in the moderators datacache.

Visibility State

A general visibility state of threads and posts is represented by a numeric value, stored in the visible column of the mybb_threads and mybb_posts database tables.

Value Meaning Access Conditions
-2 Draft the target user is the author, and is not a guest
-1 Soft Deleted For full access:
  • the target user has canviewdeleted moderator permission for containing forum
For deletion notice (without content):
  • the target user has canviewdeletionnotice permission for containing forum
0 Unapproved
  • the target user has canviewunapprove moderator permission for containing forum, or
    • the showownunapproved setting is enabled, and
    • the target user is the author, and is not a guest
1 Generally visible

Entries with the draft code can usually be excluded, as drafts are managed separately (e.g. within the User CP).

Forum Options

Certain forum options set in the Admin CP affect their visibility.

Options related to read access include:

Name Description Access Conditions
Forum is Active? (active) Whether a forum and its content is generally accessible 1 for the forum and all parent forums
Forum Password (password) A global password required for access Password verified within the target user's session for the forum and all parent forums

In addition to checking individual forums, their parent hierarchy may also need to be taken into account using:

  • the mybb_forums.pid database table column, storing the parent forum’s ID, and
  • the mybb_forums.parentlist database table column, storing the IDs of all parent forums and the target forum.

This data is cached in the forums datacache.

Authorization Logic

Forum Content Access

  • Forum Metadata

    To view basic information of a forum (e.g. title, description), all of the following must be satisfied:

    • the forum and its parent forums are active (active status is 1)
    • the target user has viewing permissions for the forum and its parent forums (canview is 1)
  • Forum Content

    To view basic content associated with a forum (e.g. rules, announcement list), all of the following must be satisfied:

    • Forum Metadata conditions are satisfied
    • the forum and its parent forums have no password set, or the passwords were validated for the target user in their active session
  • Thread

    To view a thread, all of the following must be satisfied:

    • Forum Metadata conditions are satisfied for the associated forums
    • Forum Content conditions are satisfied for the associated forums
    • the target user has thread viewing permissions for the forum (canviewthreads is 1)
    • the target user has permissions to view anyone’s threads for the forum (canonlyviewownthreads is 0), or is the author of the thread and is not a guest
    • the thread’s visibility conditions are satisfied for the target user (see Visibility State)
  • Post

    To view a post, all of the following must be satisfied:

    • Forum Metadata conditions are satisfied for the associated forums
    • Forum Content conditions are satisfied for the associated forums
    • Thread conditions are satisfied for the associated thread
    • the post’s visibility conditions are satisfied for the target user (see Visibility State)

Examples

The following code is included for demonstrative purposes only, and may not conform to production coding standards.

  • Fetching Recent Posts for the Current User

    require_once MYBB_ROOT . 'inc/functions_search.php';
      
    $where = '';
      
    // forums that are not "active"
    if ($csv = get_inactive_forums()) {
        $where .= ' AND p.fid NOT IN (' . $csv . ')';
    }
      
    // forums with no "caview" permission for the current user,
    // forums with no "canviewthreads" permission for the current user,
    // forums with a password that was not verified for the current user
    if ($csv = get_unviewable_forums(true)) {
        $where .= ' AND p.fid NOT IN (' . $csv . ')';
    }
      
    // forums with "canonlyviewownthreads" condition for the current user
    $groupPermissions = forum_permissions();
      
    if ($groupPermissions === false) {
        throw new Exception('Forum permission cache problem');
    }
      
    $onlyOwnThreadsVisibleForums = [];
      
    foreach ($groupPermissions as $fid => $forum) {
        if (isset($forum['canonlyviewownthreads']) && $forum['canonlyviewownthreads'] == 1) {
            $onlyOwnThreadsVisibleForums[] = $fid;
        }
    }
      
    if ($onlyOwnThreadsVisibleForums) {
        if ($mybb->user['uid'] != 0) {
            $where .= ' AND (
                p.fid NOT IN (' . implode(',', $onlyOwnThreadsVisibleForums) . ') OR
                t.uid = ' . $mybb->user['uid'] . '
            )';
        } else {
            $where .= ' AND p.fid NOT IN (' . implode(',', $onlyOwnThreadsVisibleForums) . ')';
        }
    }
      
    // visibility state conditions for the posts and threads tables
    $where .= ' AND ' . get_visible_where('p');
    $where .= ' AND ' . get_visible_where('t');
      
    // execute query
    $query = $db->query("
        SELECT message
        FROM
            " . TABLE_PREFIX . "posts p
            LEFT JOIN " . TABLE_PREFIX . "threads t ON p.tid = t.tid
        WHERE 1=1 {$where}
        LIMIT 5
    ");
    

Edit this page on GitHub