Forum on M4.5 had sophisticated security-model which is currently not supported by Magnolia 5.

Bootstrap (originating from M4.5-version) installs these 4 roles.

1) forum-base
2) forum_ALL-user
3) forum_ALL-admin
4) forum_ALL-moderator

(2), (3) and (4) all come with an ACL-permission for the forum-workspace which M5-security-app cannot display correct (see screenshot) and is lost when someone is editing it.
Instead of the permission "moderateAndDelete" use "read & write"

Forum 3.3 should apply the following simple security model:

(a) role forum-base is required to access the forum-app
(b) to moderate (=> approve or reject a message) a user must have the role forum_ALL-moderator or forum_ALL-admin
(c) if a user has the above described permission to moderate a forum, he can moderate every forum

(a) is already done but probably arguable.

=>

• clean install: ensure Bootstraps contain roles which can be handled by M5; remove no more used bootstraps
• clean update: ensure config. of installed forum gets roles which can be handled by M5 on update
• clean code: ensure DefaultForumManager#isModerator works properly (based on roles)
• disable automatically creation of roles when a forum is created in the forum-config (change the config which in bootstrap or in already installed versions)