Re: [development] Suggestion for User Permissions
Agree. If someone really wants an "admin role" they can use (ta-da) http://drupal.org/project/adminrole
Date: Thu, 29 Nov 2007 09:45:53 -0800 From: "Steven Peck" <sepeck@gmail.com> Subject: Re: [development] Suggestion for User Permissions To: development@drupal.org Message-ID: <a151b5a00711290945y37f9f5acsc3ff989a4104365d@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1
When creating a site admin role, there are several items I do not turn on for the users, nor do I want them on for those sites.
Creating roles is generally a one time deal per role. It is something that 'even it is a 'pain' or 'inconvenient' should not be 'globally allowed turn on'. This comes to a security issue in that you should determine your permission model. It is not an 'OMFG usability issue'. It is a security issue. I have always liked the default 'everything is off' model because I then have to turn on things.
It may be inconvenient but it doesn't seem to be something to go into hysterics over or claim usability as an overarching trump card.
If we are going to do this, then allowing it only once per role 'at time of creation' seems the least harmful approach to easily allowing people to shoot themselves in the foot to solve some users 'inconvenience'.
Steven Peck :: www.blkmtn.org
On Nov 29, 2007 5:14 AM, Earnie Boyd <earnie@users.sourceforge.net> wrote:
Quoting Darren Oh <darrenoh@sidepotsinternational.com>:
Giving a permission to the authenticated user and the anonymous users gives it to all roles. If you are speaking of giving a single role all permissions, I would be careful. It would be better for modules to set defaults for their permissions and then change each permission individually.
IMO, the set/unset all function should be applied to created roles at the time of creation only. This solves the issues being discussed.
The point is that it should NOT be a module but a default feature of the system. / liza On 29.Nov.2007, at 03:42 PM, Simon Roberts wrote:
Agree. If someone really wants an "admin role" they can use (ta-da)
I cannot possibly conceive of a situation where I would use this 'feature/configuration accident waiting to happen' on a production site. Looks very nice as a contributed module. Your point (not 'the point), desired feature... My point, unacceptable risk. Nice contributed module. -Steven On Nov 29, 2007 1:22 PM, blogdiva@culturekitchen.com <blogdiva@culturekitchen.com> wrote:
The point is that it should NOT be a module but a default feature of the system.
/ liza
On 29.Nov.2007, at 03:42 PM, Simon Roberts wrote:
Agree. If someone really wants an "admin role" they can use (ta-da)
I seem to be running into this issue everywhere lately. I've been working on a greasemonkey script the last few days that adds a check all and a uncheck all option to the user permissions page. I'll share this when its complete if anyone else would find it useful. At my office we usually maintain an admin role on the sites we work on so that the developers don't do all of their work as user 1. I have used admin role before, and didn't like the fact that it took the decision process away from me, sometimes you want to limit access even for the administrator. I agree that a check all button is extremely dangerous in the wrong hands, and shouldn't be available to everyone. For anyone looking for a quick workaround I was listening to the recent Lullabot 50 tips podcast this morning, and they mentioned using the web developer extension for Firefox and selecting forms -> populate forms, to check all of the boxes if you are on the roles individual permissions page. Mark On Nov 29, 2007, at 4:40 PM, Steven Peck wrote:
I cannot possibly conceive of a situation where I would use this 'feature/configuration accident waiting to happen' on a production site. Looks very nice as a contributed module.
Your point (not 'the point), desired feature... My point, unacceptable risk.
Nice contributed module.
-Steven
On Nov 29, 2007 1:22 PM, blogdiva@culturekitchen.com <blogdiva@culturekitchen.com> wrote:
The point is that it should NOT be a module but a default feature of the system.
/ liza
On 29.Nov.2007, at 03:42 PM, Simon Roberts wrote:
Agree. If someone really wants an "admin role" they can use (ta-da)
participants (4)
-
blogdiva@culturekitchen.com -
Mark Ferree -
Simon Roberts -
Steven Peck