[development] Hello from another developer/Want to add
rob at torenware.com
Sat Jan 28 23:29:42 UTC 2006
Karoly Negyesi wrote:
>>>> * Disabling changes to usernames and passwords of administrative users
>>>> by users having administer users permission.
> I smell hiearchical roles here. Some user ought to be able to change
> other users psswords... including admins... I guess at least.
I'm not sure what you mean by "hierarchical roles". But I'm about to
fix a problem on a site similar to this, and considered something that
sounds like "hierarchical roles".
My problem is that I want some subset of users to be able to administer
some subset of users, but not all users. The "administer users"
privilege is too general; if you can administer one, you can administer
all. And you can elevate your own level of privilege.
A simple solution to this would have "levels" of roles -- a simple
weight number. The rule is: you cannot assign a role to another user
that has a lower weight than the most privileged role that is assigned
to you. This would allow a simple way to partition the administration
of users into sub-administrators, and is easier to create admin UI for
than a hierarchy (take a look at og_hierarchy if you want to see how
nasty that kind of UI can get).
This is a simple work around a serious problem (IMHO) with the Drupal
user model: it's currently possible for any user with "administer
users" privileges to effectively elevate his/her privilege level.
Am I missing something, and there's some other way to prevents this?
More information about the development