[development] Incorporate RoleAssign module into User module?

inkfree press inkfree at gmail.com
Thu Oct 19 16:49:07 UTC 2006

"Mark Hope" wrote:

> I support the idea.

The ability to let other users handle the assignment of roles is...well,
possibly useful.  It's a good idea to be able to automate/delegate all kinds
of permissions, and so this makes sense to me, too.

With some concerns...

This module, in core, should include some pretty stringent logic to prevent
the site admin (user = 1) from letting any generic user (user ‚ 1) create or
assign themselves a role which has destructive potential.

This might be simple enough by providing an "access grid" UI where the site
admin could mark specific access features as "excluded from RoleAssign
created roles".  Another way to say this is that, as core or contrib modules
add access right rows to the table, the admin should be able to
include/exclude those rights from be "assignable" through any ModuleX
(RoleAssign, in this case.)

> Makes complete sense to me.

[This is slightly OT to the issue of inclusion in core, but because I think
it's related to the concerns over mis-use or improper use, and because a
full understanding of this module is important _to_ the discussion of
inclusion into core, I'll include this here at risk of my own peril.]

I would say that the description you provided [*] does _not_ make complete
sense to me.  The author over-uses the words "user", which have different
meanings, at different times, in the description and in the administration
of Drupal.

Granted, it can be tedious to careful avoid confusion in a description of
this kind of module (since it's about roles being able to create roles), but
great care should be taken to make clear distinctions between "user" and
"user" (yes, that's an intentional word duplication here.)

Creating some specific language might help here.  Some suggestions:

    - the 'user 1' user ==> Administrator or Super-User

    - user ==> site user, registered user

> I wasn't aware of the module - I'll take a look as I'm delegating that task
> right now.

How are you doing this without the use of the module, which you've never
heard of?  Is there some other module or feature which is allowing you to
assign a "role assignment" permission to your users?

[*] Original description.

> RoleAssign introduce the |assign roles| permission. While editing a user's
> account information, a user with this permission will be able to select roles
> for the user from a set of available roles. Roles available are configured by
> users with the |administer access control| permission. Thus, RoleAssign lets
> site administrators delegate assignment of selected roles.

Draft suggestion for a more thorough description:

    RoleAssign specifically allows Site Administrators to further delegate
the site task of managing User Roles.

    RoleAssign introduces a new site task permission called |assign roles|.
This task permission allows the Site Administrator to grant authority to
other Site Users (or Site Users in a Role Group) the ability to further
assign roles to still other Site Users.

    The Site Administrator, or any Site User with access to the |administer
access control| task permission, may set up and configure roles which are
able to delegated through this module.

    Incorrect use of this module could compromise site security or could
limit the ability of the site administrator from properly administering the
Drupal web site. One should have a thorough understanding of the Drupal
role-based permission system and of the management of user access
permissions before installing this module.

    For more information about User Roles, Role Groups and managing Access
Permission features of Drupal, please see <...>

More information about the development mailing list