Permissions are handled per user group. An anonymous visitor automatically belongs to the group 'Guest', a registered member is put into 'Member'. Above that, members can have as many group memberships as the administrators allow.
Permissions are checked on every page load, with respect to the page itself, the user's action and his or her group memberships.
- If no permission has been set on the page in question for a group, access is denied
- If a user is a member in at least one group for which access is allowed, access is granted
There are two different permissions a group can have on a page. What they do depends on the page itself, in theory, they could mean anything (if the person who programmed the page is really devious).
In general, though, you can be relatively sure they mean something along the lines of:
- Read: opening the page, reading its contents (e.g. read a forum thread)
- Write: submitting the page, changing its contents, saving new things (e.g. submitting a new reply to the thread)
If access is denied, the user is sometimes given the opportunity to enter credentials to get the desired access after all. Whether or not that login opportunity occurs is defined within the code of the page itself, using the concepts of 'common sense' and 'sane defaults'. The board administrator can't change this behaviour without changing the code.
The pages of the Administration Panel aren't distinguished in the rights management. Either a group has access to all the functions, or none at all. The pseudo-page handling this permission is called 'admin/'.
For the default user groups, the administrators can always go back to the defaults using the Administration Panel. Please note, however, that this function can't handle per-forum permissions well, because the forums didn't exist in default state. This is why the following policy is applied:
- Admins get all rights on all forums
- all other groups get no rights on any forums
That means that if you reset the permissions for anyone but the Admins group, you probably have to add the permissions on the forums for them again by hand. This is still better than opening anything up to a group which shouldn't have access, after all...