Issue status update for http://drupal.org/node/25530 Post a follow up: http://drupal.org/project/comments/add/25530 Project: Drupal Version: cvs Component: user.module Category: feature requests Priority: normal Assigned to: Anonymous Reported by: budda Updated by: killes@www.drop.org -Status: patch (code needs review) +Status: patch (code needs work) Attachment: http://drupal.org/files/issues/permissions.patch (3.82 KB) I've upated the patch to make it work from the root directory. I also fixed a minor formating issue. While I think that this patch is usefull, I think it isn't general enough. Once you got the "admin users" permission you can grant yourself any defined role. So this patch is only usefull if none of the defined rules has all permissions. I have a number of sites where this would be sufficient, but we try to keep Drupal usable for all use cases. Applying thi spatch as it is now would mean to pretend false security in a lot of cases. killes@www.drop.org Previous comments: ------------------------------------------------------------------------ Wed, 22 Jun 2005 15:50:53 +0000 : budda Attachment: http://drupal.org/files/issues/accesscontrol.patch (3.48 KB) When a user role is granted 'administer users' permission this allows them to not only edit any users profile, but also amend the access control list, even for their own role. This means a moderator could actually increase their own permissions to enable further access to Drupal site settings. To prevent this I have split the user module permissions further to provide a new permission setting for each role - "administer permissions". Enabling this permission for any role will provide the user with access to the "access control" pages and functionality. Patch attached to add additional permission and change menu access checks as needed. ------------------------------------------------------------------------ Wed, 22 Jun 2005 15:56:51 +0000 : nedjo +1 on idea (I haven't patched and tested), makes sense to me as a distinct permission. ------------------------------------------------------------------------ Wed, 22 Jun 2005 18:07:51 +0000 : Allie Micka +1 from me also, although I also haven't tested the patch. This "escalate myself" privilege is a big problem! ------------------------------------------------------------------------ Wed, 22 Jun 2005 18:53:46 +0000 : Chris Johnson +1 This seems like a real requirement for proper permissions handling. The patch looks good from a code review, but I have not tested it yet.