Issue status update for http://drupal.org/node/14149 Project: Drupal Version: cvs Component: profile.module Category: feature requests Priority: normal Assigned to: ejort Reported by: sushi76 Updated by: Bèr Kessels Status: patch I know its a handy feature, that will be used in some cases. But then it should nbe in an advanced-profile.module. Not in core. Bèr Kessels Previous comments: ------------------------------------------------------------------------ December 9, 2004 - 19:38 : sushi76 Currently there are only these three Options Private field, content only available to privileged users. (Admin users) Public field, content shown on profile page but not used on member list pages. (Everyone, but not in the member list) Public field, content shown on profile page and on member list pages. (Everyone, everywhere) It should be possible to set the visibilty of profile fields by user roles. ------------------------------------------------------------------------ March 6, 2005 - 21:40 : tulula I agree! If visibility is set by roles OR if the option is left up to the user to display their info at their discretion vs Admin at level of setting up profile fields. ------------------------------------------------------------------------ June 6, 2005 - 06:03 : ejort I agree that it should be possible to set visibility per role. There is profile data on my site that I want my organisation's committee members to see, but nobody else, there's information that I want only authenticated users to see, but not anonymous users etc. More than that, I think we should be able to set field editability by role also. There is data on my site that only certain people should be able to edit. If we get to this point then this would be a superset of the functionality discussed in the PROFILE_HIDDEN updates [1] thread, but would be much more flexible. [1] http://drupal.org/node/21219 ------------------------------------------------------------------------ June 10, 2005 - 09:07 : ejort Attachment: http://drupal.org/files/issues/profile.module.role_based_field_permissions.p... (12.97 KB) Hi, Here's a patch which implements role based edit / access permissions for profile fields. It allows you to give permissions to each role (and for each field) to: * access a field (for all accounts) * access a field for your own account * edit a field for your account Users with permission 'administer users' can access / edit all fields, and users must have enough permission to edit/access a profile for these extra permissions to come into effect. I believe this allows for more flexibility than the existing profile.module method of PROFILE_PRIVATE and in HEAD PROFILE_HIDDEN. You can eg: * hide some fields from anonymous users, while allowing other roles to still view that info * have fields viewable by only the admin and user who owns the account (like PROFILE_PRIVATE * have fields viewable by some roles, but only editable by the admin * have fields hidden from all except the admin, and editable only by the admin * it will make you more attractive to the opposite sex etc. I'm developing this because I need it for one of my sites, hence, unfortunately this patch is against the 4.6 profile.module. If people think this is a valuable feature for HEAD I can roll a patch against that. Cheers, Eric ------------------------------------------------------------------------ June 10, 2005 - 10:13 : Bèr Kessels I am not too sure about this. A typical profile contains between five and 10 fields, but twenty fields is not unheard of. This patch will flood the permissions screen unnneccesary. I would opt for the hard way: An advanced profile module, or CRM module, or so. hat module could implemen,t all sorts of advanced levelled permissions. In order to maintain a high level of usability in core, we should try to minimize options and checkboxes. I know from flexinode, which adds similar dynamic permissions, that the interface for permissions is really not up to this big amount of permissions. I really think such things should not be in core. Buty that all said, it /is/ a handy feature :) ------------------------------------------------------------------------ June 10, 2005 - 10:53 : ejort Yes, unfortunately it can add a large number of permissions to the permissions page. I did consider trying to place the permission selections on each fields edit page instead (similar to the visibility settings), but as a certain eminent author recently wrote* [2]: "please use *only* the permissions page to set permissions, and do not create new permissions-alike settings in any configuration pages " :-) I think that the PROFILE_PRIVATE and PROFILE_HIDDEN (and the PROFILE_PUBLIC_*) settings are currently doing just that, implementing an alternate permissions system which addresses a few use cases, but is ultimately not particularly flexible. Is there any chance that the permissions sections can benefit from some collapsible goodness to alleviate the flooding? I think it's a shame to reduce the systems flexibility because it may create 'too many' permissions settings, especially as it is generally a set once and forget proposition. Perhaps we should look at the underlying UI problem? *That would be Bér :-) [2] http://drupal.org/node/22565#comment-32248 ------------------------------------------------------------------------ June 10, 2005 - 14:27 : Bèr Kessels Ejort, I know i wrote that. However, this is a little bit different. am not saying you should make a new system for changing the apperance of profile fields. I am only saying that having per-profile-field permissions is: * way OTT for the big mayority of users * extremely cluttering for the permission page (which, essetially is a problem in that interface, not in your "feature") ------------------------------------------------------------------------ June 14, 2005 - 16:22 : ejort I don't agree that this is extremely off topic for most users. A large number of people using drupal in any business setting will likely find the extra flexibility invaluable (and the use cases popping up in discussions for regarding PROFILE_HIDDEN show that the current approach doesn't cover enough of the possibilities). I've worked on multiple jobs where I had to create contact lists and employee profiles where basic information was accessible to the public (name, work email, profile text), certain details (direct phone numbers) were only visible to internal company employees, other data (mobile phone numbers) were visible only to team leaders, other data (next of kin contact details) were only visible to an admin, and the user wasn't allowed to edit certain items (such as the public profile text). I've had similar needs come up across several jobs, but then again I wrote the patch so of course I needed it! :-) I also believe that the permissions page problem isn't too large an issue. The permissions are created in response to the admin creating profile fields (3 per field, 'access', 'access own', 'edit'), so the page has no extra permissions by default. This also isn't an interface that is accessed on a daily basis, and there is a good visual separation of the sections so it is easy to skim past the longer profile section if that's not what you're interested in. Of course, this is all just my opinion, and I'm a biased observer :-)