[development] Hello from another developer/Want to add some features

Rob Thorne rob at torenware.com
Sat Jan 28 23:29:42 UTC 2006

Karoly Negyesi wrote:
>>>> * Disabling changes to usernames and passwords of administrative users
>>>> by users having administer users permission.
> I smell hiearchical roles here. Some user ought to be able to change 
> other users psswords... including admins... I guess at least.
I'm not sure what you mean by "hierarchical roles".  But I'm about to 
fix a problem on a site similar to this, and considered something that 
sounds like "hierarchical roles".

My problem is that I want some subset of users to be able to administer 
some subset of users, but not all users.  The "administer users" 
privilege is too general;  if you can administer one, you can administer 
all.  And you can elevate your own level of privilege.

A simple solution to this would have "levels" of roles -- a simple 
weight number.  The rule is:  you cannot assign a role to another user 
that has a lower weight than the most privileged role that is assigned 
to you.  This would allow a simple way to partition the administration 
of users into sub-administrators, and is easier to create admin UI for 
than a hierarchy (take a look at og_hierarchy if you want to see how 
nasty that kind of UI can get).

This is a simple work around a serious problem (IMHO) with the Drupal 
user model:  it's currently possible for any user with "administer 
users" privileges to effectively elevate his/her privilege level.

Am I missing something, and there's some other way to prevents this?

Rob Thorne
Torenware Networks

More information about the development mailing list