Not sure if this is an oversight or maybe I am just paranoid but the feature granted to moderators to invite users into closed forums is great. The problem I have discovered is that the mod_forumuser.ascx control pulls in the access list from the generic YAF.Classes.Data.DB.accessmask_list() method. This returns all access masks in the database including masks that are for administrators. A moderator could add users into access masks that they should not have rights to view themselves let alone anyone else.
I have implemented some code in the BindData() of the mod_forumuser.cs to trim the accesslist after it is returned using my own naming convention. I know this is not ideal for a generic solution and look forward to the YAF developers comments.
In case anyone is interested here is my code
private void BindData()
DataTable dt = YAF.Classes.Data.DB.accessmask_list(PageContext.PageBoardID, null);
DataTable filteredDataTable = new DataTable();
filteredDataTable = dt.Clone();
foreach (DataRow row in dt.Rows)
//Naming convention - all private forums access masks will be "Registered + forumname"
if (row["Name"].ToString() == "Registered " + PageContext.PageForumName)
// Import the Row into dt2 from dt1
AccessMaskID.DataSource = filteredDataTable;
AccessMaskID.DataValueField = "AccessMaskID";
AccessMaskID.DataTextField = "Name";
I hope this is of use, it's a great product and hats of for all your work.
Before pushing this to the current version I believe there needs to be more consideration beforehand. For example, ability to invite people (i.e. grant them access permissions) might be governed by access mask too. In general, I think "moderator" access mask flag should be broken down into few atomic ones. One is inviting, another might be moving/deleting/editing/locking etc. This is up for a discussion.