[development] Incorporate RoleAssign module into User module?

Thomas Barregren thomas at webbredaktoren.se
Thu Oct 19 20:05:40 UTC 2006

inkfree press wrote:
> The ability to let other users handle the assignment of roles is...well,
> possibly useful.  It's a good idea to be able to automate/delegate all kinds
> of permissions, and so this makes sense to me, too.
> With some concerns...
> This module, in core, should include some pretty stringent logic to prevent
> the site admin (user = 1) from letting any generic user (user ‚ 1) create or
> assign themselves a role which has destructive potential.
> This might be simple enough by providing an "access grid" UI where the site
> admin could mark specific access features as "excluded from RoleAssign
> created roles".  Another way to say this is that, as core or contrib modules
> add access right rows to the table, the admin should be able to
> include/exclude those rights from be "assignable" through any ModuleX
> (RoleAssign, in this case.)
RoleAssign already have this logic. All roles are per default excluded 
from the set of assignable roles. Only a users with |administer access 
control| permission can add a role to the set of assignable roles.

> I would say that the description you provided [*] does _not_ make complete
> sense to me.  The author over-uses the words "user", which have different
> meanings, at different times, in the description and in the administration
> of Drupal.
> Granted, it can be tedious to careful avoid confusion in a description of
> this kind of module (since it's about roles being able to create roles), but
> great care should be taken to make clear distinctions between "user" and
> "user" (yes, that's an intentional word duplication here.)
> Creating some specific language might help here.  Some suggestions:
>     - the 'user 1' user ==> Administrator or Super-User
>     - user ==> site user, registered user
You have a point. I will look over the documentation and see how I can 
make this distinction clearer.

> Draft suggestion for a more thorough description:
>     RoleAssign specifically allows Site Administrators to further delegate
> the site task of managing User Roles.
>     RoleAssign introduces a new site task permission called |assign roles|.
> This task permission allows the Site Administrator to grant authority to
> other Site Users (or Site Users in a Role Group) the ability to further
> assign roles to still other Site Users.
>     The Site Administrator, or any Site User with access to the |administer
> access control| task permission, may set up and configure roles which are
> able to delegated through this module.
>     Incorrect use of this module could compromise site security or could
> limit the ability of the site administrator from properly administering the
> Drupal web site. One should have a thorough understanding of the Drupal
> role-based permission system and of the management of user access
> permissions before installing this module.
>     For more information about User Roles, Role Groups and managing Access
> Permission features of Drupal, please see <...>
Thank you. I will use this to improve the handbook page on RoleAssign 

However, I have one objection. You write that "Incorrect use ... could 
limit the ability of the site administrator from properly administering 
the Drupal web site." How do you mean? The site administrator, e.g. user 
1, always have all permissions irrespective of assigned roles. So how 
could his/hers ability be limited?


More information about the development mailing list