diff --git a/administerusersbyrole.info b/administerusersbyrole.info index d40f76d..7fd7e5b 100644 --- a/administerusersbyrole.info +++ b/administerusersbyrole.info @@ -1,7 +1,7 @@ name = Administer Users by Role -description = "Allows users with 'administer users' permission and a role (specified in 'Permissions') to edit/delete other users with a specified role. Also provides control over user creation." +description = "Allows users with a role (specified in 'Permissions') to edit/delete other users with a specified role. Also provides control over user creation." core = 7.x files[] = administerusersbyrole.test files[] = views/administerusersbyrole_handler_field_user_link_edit.inc -files[] = views/administerusersbyrole_handler_field_user_link_cancel.inc \ No newline at end of file +files[] = views/administerusersbyrole_handler_field_user_link_cancel.inc diff --git a/administerusersbyrole.module b/administerusersbyrole.module index f98e8e2..6f58d73 100644 --- a/administerusersbyrole.module +++ b/administerusersbyrole.module @@ -43,7 +43,63 @@ function administerusersbyrole_menu_alter(&$items) { $items['user/%user/edit']['access arguments'] = array(1); $items['user/%user/cancel']['access callback'] = '_administerusersbyrole_can_cancel_user'; $items['user/%user/cancel']['access arguments'] = array(1); - $items['admin/people/create']['access arguments'] = array('create users'); + $items['admin/people']['access callback'] = 'administerusersbyrole_access_create_callback'; + $items['admin/people/create']['access callback'] = 'administerusersbyrole_access_create_callback'; + $items['user/%user']['access callback'] = '_administerusersbyrole_can_view_user'; + $items['user/%user']['access arguments'] = array(1); +} + +/** + * Allow permitted users to create user accounts without needing the 'Administer + * users' permission. + */ +function administerusersbyrole_access_create_callback($string, $account = NULL) { + global $user; + if (!isset($account)) { + $account = $user; + } + + if (user_access('create users', $account)) { + $static = &drupal_static('user_access'); + $static[$account->uid][$string] = TRUE; + } + + return user_access($string, $account); +} + +/** + * Implements hook_form_FORM_ID_alter() for user_register_form. + */ +function administerusersbyrole_form_user_register_form_alter(&$form, &$form_state, $form_id) { + // Display roles that the user is allowed to edit + if (!$form['account']['roles']['#access']) { + foreach ($form['account']['roles']['#options'] as $rid => $role) { + if (!user_access(_administerusersbyrole_build_perm_string($role, 'edit', FALSE)) && !user_access(_administerusersbyrole_build_perm_string($role, 'edit', TRUE))) { + unset($form['account']['roles']['#options'][$rid]); + } + } + $form['account']['roles']['#access'] = count($form['account']['roles']['#options']) > 0; + } + +function _administerusersbyrole_can_view_user($account) { + $uid = is_object($account) ? $account->uid : (int) $account; + + // Never allow access to view the anonymous user account. + if ($uid) { + // Admins can view all, users can view own profiles at all times. + if ($GLOBALS['user']->uid == $uid || user_access('administer users')) { + return TRUE; + } + elseif (user_access('access user profiles')) { + // At this point, load the complete account object. + if (!is_object($account)) { + $account = user_load($uid); + } + return (is_object($account) && ($account->status || user_access('create users'))); + } + } + return FALSE; +} } function _administerusersbyrole_can_edit_user($account) { @@ -151,4 +185,4 @@ function administerusersbyrole_views_api() { 'api' => 3, 'path' => drupal_get_path('module', 'administerusersbyrole') . '/views', ); -} \ No newline at end of file +} diff --git a/administerusersbyrole.test b/administerusersbyrole.test index 7fea3c0..85a8679 100644 --- a/administerusersbyrole.test +++ b/administerusersbyrole.test @@ -45,7 +45,6 @@ class AdministerUsersByRoleTestCase extends DrupalWebTestCase { $perms = array( 'access administration pages', 'access content', - 'administer users', _administerusersbyrole_build_perm_string($roleName, 'edit', FALSE), ); if ($allowEditorToCancel) { @@ -71,7 +70,6 @@ class AdministerUsersByRoleTestCase extends DrupalWebTestCase { $perms = array( 'access administration pages', 'access content', - 'administer users', _administerusersbyrole_build_perm_string('alpha', 'edit', TRUE), ); $this->checkPermissions(array(), TRUE); @@ -82,7 +80,6 @@ class AdministerUsersByRoleTestCase extends DrupalWebTestCase { $perms = array( 'access administration pages', 'access content', - 'administer users', _administerusersbyrole_build_perm_string('alpha', 'cancel', TRUE), ); $this->checkPermissions(array(), TRUE); @@ -95,7 +92,6 @@ class AdministerUsersByRoleTestCase extends DrupalWebTestCase { $perms = array( 'access administration pages', 'access content', - 'administer users', _administerusersbyrole_build_perm_string('beta', 'edit', TRUE), ); $this->checkPermissions(array(), TRUE); @@ -108,7 +104,6 @@ class AdministerUsersByRoleTestCase extends DrupalWebTestCase { $perms = array( 'access administration pages', 'access content', - 'administer users', 'edit users with no custom roles', ); foreach ($this->roles as $roleName => $roleID) { @@ -122,7 +117,6 @@ class AdministerUsersByRoleTestCase extends DrupalWebTestCase { $perms = array( 'access administration pages', 'access content', - 'administer users', 'cancel users with no custom roles', ); foreach ($this->roles as $roleName => $roleID) { @@ -136,7 +130,6 @@ class AdministerUsersByRoleTestCase extends DrupalWebTestCase { $perms = array( 'access administration pages', 'access content', - 'administer users', 'create users', ); $this->checkPermissions(array(), TRUE);