Issue status update for http://drupal.org/node/25530 Project: Drupal Version: cvs Component: user.module Category: feature requests Priority: normal Assigned to: Anonymous Reported by: budda Updated by: nedjo Status: patch +1 on idea (I haven't patched and tested), makes sense to me as a distinct permission. nedjo Previous comments: ------------------------------------------------------------------------ June 22, 2005 - 11:50 : budda Attachment: http://drupal.org/files/issues/accesscontrol.patch (3.48 KB) When a user role is granted 'administer users' permission this allows them to not only edit any users profile, but also amend the access control list, even for their own role. This means a moderator could actually increase their own permissions to enable further access to Drupal site settings. To prevent this I have split the user module permissions further to provide a new permission setting for each role - "administer permissions". Enabling this permission for any role will provide the user with access to the "access control" pages and functionality. Patch attached to add additional permission and change menu access checks as needed.