The Geeklog permissions are (loosely) based on the concept borrowed from UNIX file systems: Geeklog objects (e.g. stories) have "read" and "write" access permissions. Those can further be restricted by groups and their owner.
For a typical Geeklog object, you can set:
- read and write access for the owner (e.g. the story's original author)
- read and write access for the group (e.g. Story Admin group), i.e. all the users in this group
- read access only for logged-in users
- read access only for anonymous users
By removing the read access for anonymous users, you can then hide an object from any visitors that are not logged in.
- "The best way to learn about Geeklog permissions is to try things out and see what happens."
Interactions of Article and Topic Permissions
If you want a user to be able to edit an article that they are the owner of they need both READ and EDIT permissions for both the article and the topic to which that article belongs.
The thinking behind this is that you should not be able to edit an article (even if you originally wrote it and/or are the current owner) unless you have edit permissions for the topic as well. This allows a site Admin to restrict certain types of access to a given topic. Granted, this is not the simplest thing to understand and it perhaps should be rethought. However, since its been this way for several major releases now it is unlikely it will be changed unless there is an over riding reason to do so.
This is not a security hole because you need read/edit for both the article you want to edit and the topic that it is in. Again, it just allows the Geeklog admin a much finer level of control.
Note: The default permissions can be changed in the Configuration admin control panel: Configuration > Geeklog > Miscellaneous. Scroll down to "Story Default Permission" and "Topic Default Permission".
Also see the Geeklog FAQ: Setting up a Story Admin