DNN has very poor security granularity once a user has PAGE Edit permissions
 - this has been a huge weakness in DNN for a long time
- and frustratingly an area that has had very little done about it.

Its not that different to the fact that any user with Page Edit permissions on a SINGLE PAGE can ADD a new Page - but if they forget to set edit permissions to the new page - it does not automatically allow them to see the new page - had a user on a site add about 20 blank pages to the ROOT - causing an interesting mess - because he could not see the new PAGE he was trying to add.
Also there is no way to prevent them adding PAGES to any level on the site - another huge weakness.

Also any of the COPY to all pages options, include module on all pages, copy to descendent's are all available to anyone with said PAGE Edit permissions.

The permissions system really needs an overhaul if DNN is to continue to compete in the commercial CMS management arena - but im guessing such features are not likely to make it down into the CE edition of DNN given the directions management are currently headed with PE and EE.

What is needed for starters is a new level of security.

PAGE MANAGEMENT

Which controls if a user is allowed to MANAGE pages - add a page - delete a page - move a page etc

PAGE MODULE MANAGEMENT

Which controls if a user is allowed to MANAGE the modules on a page -  add a module - delete a module 

PAGE EDIT

Which would then control if a user is allowed to EDIT the content on a page only - NOT add pages or modules.

We already had MODULE EDIT effectively but it to could benefit from some granularity ... but at the moment a user with MODULE EDIT can delete the module they are working on - and stuff up other area - such as the event listed in the OP.

All those features should be turned OFF unless the user had PAGE MANAGEMENT for example.

====

The other significant weakness at PAGE MANAGEMENT level is that once you have PAGE EDIT currently you can add a page anywhere in the system - there should be some level of control over this - that being if you have PAGE EDIT - you should NOT be able to add a page above your page level possibly.

Also getting back to current PAGE EDIT permissions and ADD PAGE - at a minimum it needs to copy the permissions of from the page that the user is currently on - so that if the user DOES have the ability to add a page then he will get permission to edit the new page.

Westa

Wes,
Thank you for your in-depth explanation.  This underscores an immediate fear and a long-term fear. The immediate fear was that this was not a bug that was introduced in 5.6.1, but a deep seeded flaw in DNN and the long-term fear that as DNN moves forward with CE and PE that the community edition will not receive some much needed corrections and functionality.

The site where the Page Edit flaw came into play is a 300+ page site with 30+ users with the role registration/subscriber and each of 30+ users have been granted PAGE EDIT on one or two pages. The idea of course was with Page Edit that they should be able to add modules and content to their own pages, but not make any changes to other parts of the site. However, as I stated in the original post, with only PAGE EDIT privs this users changed EVERY container on EVERY page throughout the site. This change was very dramatic because the user thought school bus yellow would be a nice background color for all of the containers on his pages and to save himself time he selected apply to all containers. He of course thought the change would only effect the two page where he had PAGE EDIT privs, but not in DNN, it effected the entire site. He turned the ENTIRE site yellow - the entire site! The sinister part of the problem was that you could not simply go to the page and remove the apply to all modules  check mark and make everything o.k.. The container modules through out the site that were not set to the page default did not come back so the only option was to visit the 300+ pages and correct the module containers that you wanted or restore the site from the latest back-up.  Restoring the site from backup was what we had to do and this of course meant that all of the changes that 30+ people had made since the previous night's back-up were lost and this is a very active site so you can guess that there are a lot of unhappy DNN users.

Wes, is correct this DNN security flaw needs to be addressed by DNN and it needs to be in the Community version.  DNN has advertised it's great security, but if a single user with very limited privs can turn an entire site Yellow then who needs hackers.  I am suggesting that all DNN users, especially Community users, reply to this thread as a form of an OPEN LETTER TO DNN requesting that this DNN's security flaw must be addressed immediately.

If anyone has a better idea of how to escalate this issue into action lets hear it.

Judy