[drupal-devel] [feature] More granular user management permissions

killes drupal-devel at drupal.org
Mon Aug 1 01:07:32 UTC 2005 

Issue status update for 
http://drupal.org/node/25530
Post a follow up: 
http://drupal.org/project/comments/add/25530

 Project:      Drupal
 Version:      cvs
 Component:    user.module
 Category:     feature requests
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  budda
 Updated by:   killes at www.drop.org
-Status:       patch (code needs review)
+Status:       patch (code needs work)
 Attachment:   http://drupal.org/files/issues/permissions.patch (3.82 KB)

I've upated the patch to make it work from the root directory. I also
fixed a minor formating issue.


While I think that this patch is usefull, I think it isn't general
enough. Once you got the "admin users" permission you can grant
yourself any defined role. So this patch is only usefull if none of the
defined rules has all permissions. I have a number of sites where this
would be sufficient, but we try to keep Drupal usable for all use
cases. Applying thi spatch as it is now would mean to pretend false
security in a lot of cases.




killes at www.drop.org



Previous comments:
------------------------------------------------------------------------

Wed, 22 Jun 2005 15:50:53 +0000 : budda

Attachment: http://drupal.org/files/issues/accesscontrol.patch (3.48 KB)

When a user role is granted 'administer users' permission this allows
them to not only edit any users profile, but also amend the access
control list, even for their own role. This means a moderator could
actually increase their own permissions to enable further access to
Drupal site settings.


To prevent this I have split the user module permissions further to
provide a new permission setting for each role - "administer
permissions". Enabling this permission for any role will provide the
user with access to the "access control" pages and functionality.


Patch attached to add additional permission and change menu access
checks as needed.




------------------------------------------------------------------------

Wed, 22 Jun 2005 15:56:51 +0000 : nedjo

+1 on idea (I haven't patched and tested), makes sense to me as a
distinct permission.




------------------------------------------------------------------------

Wed, 22 Jun 2005 18:07:51 +0000 : Allie Micka

+1 from me also, although I also haven't tested the patch.  This
"escalate myself" privilege is a big problem!




------------------------------------------------------------------------

Wed, 22 Jun 2005 18:53:46 +0000 : Chris Johnson

+1


This seems like a real requirement for proper permissions handling.


The patch looks good from a code review, but I have not tested it yet.

More information about the drupal-devel mailing list