If you were right, than indeed, it would not be like it was ment to be.
but...

I have a standard installation with 20 users, all members of blog 1 and neither of them can see protected posts if they are not member of that blog.

Are you sure you tested this with a username that has not the proper rights to view that protected post ?

Hey Topanga, thanks for the reply.

Ya i had thought of that too, but the user had _no_ permissions to view anything and then as soon as i made them a member of the ALL blog they and then hit refresh on the main page a whole bunch of protected posts appeared.

That's why i said i'm not sure if it is a bug ... considering that as i mentioned in the other post, i had to hack my cookie domain. So maybe there is some strange interplay between the hack and such.

....

Ok i just managed to do the exact same thing on my home blog (not on an intranet )

....

When i get a chance i'm going to do a clean install and see if i can get it to do it.

Make sure none of ANY of the hacks i've done are causing this strange behaviour.

I'll get back to you.

ok i just did a clean install with the zip file from the website. New database, new directory and only admin and demouser on the system.

Here is what i did:

1. admin makes a protected post in blog a. 2. I check to ensure that it's visible to that user and not demouser in Blog All ( it's not, which is good) 3. I go through and make sure that demouser has no permissions in any of the blogs, using the uncheck all option. 4. I check again to ensure demouser can't see protected post in blog A (it can't) 5. I make demouser a member of Blog All in the blog permissions 6. I check again to see if demouser can see anything. 7. Demo user can now see my test post. [/list:u] I'd say this is pretty strong evidence that there is a problem. Check it out yourself. I've put this test install at: http://b2evo.borderlinereckless.com/ admin login: user: admin pass: admin demouser login: user: demouser pass: demouser

Ok, wanted to make sure it wasn't my server, same behaviour here:

http://members.lycos.co.uk/totn2/

logins and passes the same.

BT

Indeed, very strange (scary) behaviour.
(I checked your blog with the given usernames)

I checked my blog imediately (because I do have my very personnal diary in the same blog)
lucky for me, in my blog it was not happening.

I can only say : you are right, and it is not normal.
I can't point you where you could fix it.

btokarchuk wrote:

5. I make demouser a member of Blog All in the blog permissions

Blog 1 aggregates all posts from all blogs, therefore the protected post in blog 2 is also a protected post in blog 1. demouser is a member of blog 1 and can therefore see protected posts in blog 1.

Doesn't sound like a bug to me. The 'solution' is to not make people members of blog 1 unless you want to give them access to all protected content across all blogs.

EdB

I notice that in my blog, it is not happening like btokarchuk is saying.

To me, it is *not* normal that this thing is happening.
Because the real parent still is 'blogA' and not 'blog All'.

Hey EdB,

That's what i was getting at in my original post. I wasn't sure if that was the intended behaviour or not. Without looking at the code I can't be definitive, but being a programmer myself i can see where the logic disconnect between the two modes of operation could come in development. My workaround was, as you suggested, to not make them members of blog A. I guess it just made more sense to me to think that Blog All would aggregate all posts according to their appropriate permissions.

Ok, cool.

I just wanted to see what the community thought.

BT

I duplicated the behaviour on a stock v10 installation.

Given that Topanga is not able to duplicate the issue I suspect there may be something deeper going on. Something to do with php or mysql version? Dunno, but it's repeatable and (reasonably) logical.

I reckon the best way to do it (code-wise) is to say "this here logged in visitor is on blog 1 and the next post to consider showing is a protected post so I better check all the cats the post is associated with and figure out which blog the cat(s) belong in and see if the visitor is a member of any of those blogs".

I reckon the best way to do it (code-wise) is to say "this here logged in visitor is on blog 1 and the next post to consider showing is a protected post so I better check all the cats the post is associated with and figure out which blog the cat(s) belong in and see if the visitor is a member of any of those blogs".

Ya that sounds right. In addition to your statement i would add "this here logged in visitor is a member of blog 1 and the next post to consider showing is protected and comes from blog X. I better ensure that this guy is also a member in this other blog."

See it's interesting cuz you can create categories and actually post in Blog 1 if you want. Which is a bit strange. I'm not sure if that should really be allowed for a blog that aggregates other blogs. But then again who am i to say :). Ideally it would be best if a person could create any number of these meta blogs and choose which blogs to aggregate into them. I know this has been discussed so i won't really get into this in depth again.

BT.