[drupal-devel] [feature] More granular user management permissions

Chris Johnson drupal-devel at drupal.org
Wed Jun 22 18:53:51 UTC 2005


Issue status update for http://drupal.org/node/25530

 Project:      Drupal
 Version:      cvs
 Component:    user.module
 Category:     feature requests
 Priority:     normal
 Assigned to:  Anonymous
 Reported by:  budda
 Updated by:   Chris Johnson
 Status:       patch

+1


This seems like a real requirement for proper permissions handling.


The patch looks good from a code review, but I have not tested it yet.




Chris Johnson



Previous comments:
------------------------------------------------------------------------

June 22, 2005 - 09:50 : budda

Attachment: http://drupal.org/files/issues/accesscontrol.patch (3.48 KB)

When a user role is granted 'administer users' permission this allows
them to not only edit any users profile, but also amend the access
control list, even for their own role. This means a moderator could
actually increase their own permissions to enable further access to
Drupal site settings.


To prevent this I have split the user module permissions further to
provide a new permission setting for each role - "administer
permissions". Enabling this permission for any role will provide the
user with access to the "access control" pages and functionality.


Patch attached to add additional permission and change menu access
checks as needed.




------------------------------------------------------------------------

June 22, 2005 - 09:56 : nedjo

+1 on idea (I haven't patched and tested), makes sense to me as a
distinct permission.




------------------------------------------------------------------------

June 22, 2005 - 12:07 : Allie Micka

+1 from me also, although I also haven't tested the patch.  This
"escalate myself" privilege is a big problem!







More information about the drupal-devel mailing list