diff --git a/modules/user/src/AccountForm.php b/modules/user/src/AccountForm.php index d695968..b13d320 100644 --- a/modules/user/src/AccountForm.php +++ b/modules/user/src/AccountForm.php @@ -191,7 +191,7 @@ abstract class AccountForm extends ContentEntityForm { '#title' => $this->t('Roles'), '#default_value' => (!$register ? $account->getRoles() : []), '#options' => $roles, - '#access' => $roles && $user->hasPermission('administer permissions'), + '#access' => $roles && $user->hasPermission('administer users roles'), ]; // Special handling for the inevitable "Authenticated user" role. diff --git a/modules/user/src/Plugin/Action/ChangeUserRoleBase.php b/modules/user/src/Plugin/Action/ChangeUserRoleBase.php index de4c404..dd750fe 100644 --- a/modules/user/src/Plugin/Action/ChangeUserRoleBase.php +++ b/modules/user/src/Plugin/Action/ChangeUserRoleBase.php @@ -94,7 +94,7 @@ abstract class ChangeUserRoleBase extends ConfigurableActionBase implements Cont public function access($object, AccountInterface $account = NULL, $return_as_object = FALSE) { /** @var \Drupal\user\UserInterface $object */ $access = $object->access('update', $account, TRUE) - ->andIf($object->roles->access('edit', $account, TRUE)); + ->andIf($object->roles->access('assign', $account, TRUE)); return $return_as_object ? $access : $access->isAllowed(); } diff --git a/modules/user/src/RoleAccessControlHandler.php b/modules/user/src/RoleAccessControlHandler.php index e979f2d..7c5e542 100644 --- a/modules/user/src/RoleAccessControlHandler.php +++ b/modules/user/src/RoleAccessControlHandler.php @@ -24,6 +24,9 @@ class RoleAccessControlHandler extends EntityAccessControlHandler { return AccessResult::forbidden(); } + case 'assign': + return AccessResult::allowedIfHasPermission('administer users roles'); + default: return parent::checkAccess($entity, $operation, $account); } diff --git a/modules/user/src/Tests/Views/BulkFormTest.php b/modules/user/src/Tests/Views/BulkFormTest.php index 665af74..67d5e0f 100644 --- a/modules/user/src/Tests/Views/BulkFormTest.php +++ b/modules/user/src/Tests/Views/BulkFormTest.php @@ -33,7 +33,7 @@ class BulkFormTest extends UserTestBase { */ public function testBulkForm() { // Log in as a user without 'administer users'. - $this->drupalLogin($this->drupalCreateUser(['administer permissions'])); + $this->drupalLogin($this->drupalCreateUser(['administer users roles'])); $user_storage = $this->container->get('entity.manager')->getStorage('user'); // Create an user which actually can change users. @@ -109,7 +109,7 @@ class BulkFormTest extends UserTestBase { $this->assertTrue($anonymous_account->isBlocked(), 'Ensure the anonymous user got blocked.'); // Test the list of available actions with a value that contains a dot. - $this->drupalLogin($this->drupalCreateUser(['administer permissions', 'administer views', 'administer users'])); + $this->drupalLogin($this->drupalCreateUser(['administer users', 'administer users roles', 'administer views'])); $action_id = 'user_add_role_action.' . $role; $edit = [ 'options[include_exclude]' => 'exclude', diff --git a/modules/user/tests/src/Functional/UserRolesAssignmentTest.php b/modules/user/tests/src/Functional/UserRolesAssignmentTest.php index c0ee2d1..2cd7970 100644 --- a/modules/user/tests/src/Functional/UserRolesAssignmentTest.php +++ b/modules/user/tests/src/Functional/UserRolesAssignmentTest.php @@ -13,7 +13,7 @@ class UserRolesAssignmentTest extends BrowserTestBase { protected function setUp() { parent::setUp(); - $admin_user = $this->drupalCreateUser(['administer permissions', 'administer users']); + $admin_user = $this->drupalCreateUser(['administer users', 'administer users roles']); $this->drupalLogin($admin_user); } diff --git a/modules/user/tests/src/Kernel/Views/HandlerFieldPermissionTest.php b/modules/user/tests/src/Kernel/Views/HandlerFieldPermissionTest.php index 0d21221..bf72b6f 100644 --- a/modules/user/tests/src/Kernel/Views/HandlerFieldPermissionTest.php +++ b/modules/user/tests/src/Kernel/Views/HandlerFieldPermissionTest.php @@ -34,11 +34,11 @@ class HandlerFieldPermissionTest extends UserKernelTestBase { $expected_permissions = []; $expected_permissions[$this->users[0]->id()] = []; $expected_permissions[$this->users[1]->id()] = []; - $expected_permissions[$this->users[2]->id()][] = t('Administer permissions'); + $expected_permissions[$this->users[2]->id()][] = t('Administer roles and permissions'); // View user profiles comes first, because we sort by the permission // machine name. $expected_permissions[$this->users[3]->id()][] = t('View user information'); - $expected_permissions[$this->users[3]->id()][] = t('Administer permissions'); + $expected_permissions[$this->users[3]->id()][] = t('Administer roles and permissions'); $expected_permissions[$this->users[3]->id()][] = t('Administer users'); foreach ($view->result as $index => $row) { diff --git a/modules/user/user.permissions.yml b/modules/user/user.permissions.yml index 810583c..8473360 100644 --- a/modules/user/user.permissions.yml +++ b/modules/user/user.permissions.yml @@ -1,5 +1,6 @@ administer permissions: - title: Administer permissions + title: 'Administer roles and permissions' + description: 'Create, edit, delete and manage permissions of users roles.' restrict access: true administer account settings: title: 'Administer account settings' @@ -9,6 +10,10 @@ administer users: title: 'Administer users' description: 'Manage all user accounts. This includes editing all user information, changes of email addresses and passwords, issuing emails to users and blocking and deleting user accounts.' restrict access: true +administer users roles: + title: 'Administer users roles' + description: 'Add or remove roles on user accounts. Note: to administer users roles, you also need the permission to administer users.' + restrict access: true access user profiles: title: 'View user information' change own username: