Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Updated: Comment #20
Problem/Motivation
This module's purpose is to provide new permissions to avoid admins allowed to edit users to be able to edit user settings. Currently, they can't access the user settings page but they can access users Fields and Display settings. These are important things that should also be locked.
Proposed resolution
Create a new specific permission to access the users Fields and Display settings.
Remaining tasks
Create the new permissionApply the permission to the user Fields settingsApply the permission to the user Display settings
Related Issues
#2096901: Apply coding standards (to apply the last patch)
Comment | File | Size | Author |
---|---|---|---|
#27 | restrict_access_to_all-2054645-27.patch | 1.13 KB | claudiu.cristea |
#27 | interdiff.txt | 959 bytes | claudiu.cristea |
Comments
Comment #1
DuaelFrThis patch is part of the #1day1patch initiative.
Comment #2
tchurch CreditAttribution: tchurch commentedI will look at this patch over the weekend (hopefully) but my first comment would be that we should get new permissions for both of these items.
I think both under one new permission.
Comment #3
tchurch CreditAttribution: tchurch commentedThis patch needs changes to it.
1) to add extra permission to control this
2) to use the correct function naming conventions
I have some new code which I'm quickly testing and then I'll post back a new patch for others to test.
Comment #4
tchurch CreditAttribution: tchurch commentedHere is a new patch.
Let me know what you think.
Comment #5
tchurch CreditAttribution: tchurch commentedComment #6
tchurch CreditAttribution: tchurch commentedComment #7
tchurch CreditAttribution: tchurch commentedComment #9
tchurch CreditAttribution: tchurch commentedAutomatic testing failed because of format reasons but the code itself works.
Can someone test it?
Comment #10
tchurch CreditAttribution: tchurch commentedBefore this is committed you might also want to look at this module.
https://drupal.org/project/field_ui_permissions
It seems to do the same thing but for all entity types.
Comment #11
DuaelFr#4 is good for me
#10 is good to know but I think that User Settings Access should restrict anything related to User accounts and not rely on another module to manage Fields access. (The less you have the better you are)
Comment #12
tchurch CreditAttribution: tchurch commentedThe problem I now have is that this code change clashes with fields_ui_permissions. If both modules are active then fields_ui_permissions controls it and ignores this modules new setting. I'm trying to investigate it to see if there's a solution but not having a lot of luck (or time).
I would prefer if fields_ui_permissions did the work as it combines this check with other entity types too.
Comment #13
DuaelFrAdding a module to manage all entity types when you only need to restrict users and when another module (yours) already does half the work is a bit overkill. If everyone did that kind of things, this would cause a lot of performances issues and make the website harder to maintain.
Your module's purpose is to help developpers to allow their users to administrate accounts but not user general settings. Even if an other module can complete yours, you have to offer the developpers a full set of functionnalities matching your module's scope.
If you are really afraid of a conflict with fields_ui_permissions, we could just add a
if (!module_exists('fields_ui_permissions'))
around my patched lines.Comment #14
GuyPaddock CreditAttribution: GuyPaddock commented#4: user_settings_access-restrict_account_fields_and_display-2054645-4.patch queued for re-testing.
Comment #16
DuaelFrPatch rerolled
Comment #18
DuaelFrThis one will apply when the #2096901: Apply coding standards issue will be close :)
Comment #20
YesCT CreditAttribution: YesCT commentedhttps://drupal.org/contributor-tasks/write-issue-summary has instructions for how to make a good issue summary. it will help others jump in to work on this.
Comment #21
DuaelFr#18: user_settings_access-restrict_account_fields_and_display-2054645-18.patch queued for re-testing.
Comment #22
DuaelFr@YesCT : job done
Comment #22.0
DuaelFrUpdate issue summary
Comment #24
inno81 CreditAttribution: inno81 commentedThis patch works for me!
Comment #25
claudiu.cristeaFixing also #2054679: Hide the "Manage display" DS tab.
Comment #26
claudiu.cristeaImproved.
Comment #27
claudiu.cristeaSmall fix when access callback is not defined.
Comment #28
DuaelFrCan be simplified using only a strpos() call.
Good job, though. Thanks.
Comment #29
claudiu.cristeaWe need to catch:
but not
Comment #30
DuaelFrI'm not sure that path you want to avoid is a real use case but what I'm sure is that using a regular expression on every route of the website can be a real performances hole.
After a quick thinking I don't know if we really want that this module alters all
admin/config/people/accounts/*
routes. We do know that we want to restrict access toadmin/config/people/accounts/fields
andadmin/config/people/accounts/display
because these are Core routes. But, if we restrictadmin/config/people/accounts/*
routes we are going to interfere with other modules and people would not understand why they have to use 'administer account settings' permission instead of the one defined in the module that created the route.If you really want to restrict all these routes, I guess, you should alter the routes that are using the Core's 'adminster users' permission and only these ones. I'm not sure that this is the purpose of this module, though.
Comment #31
djpable CreditAttribution: djpable as a volunteer commentedI confirm that path "admin/config/people/accounts/fields" is still accessible after the patch at #27, with this Warning:
Warning: call_user_func_array() expects parameter 1 to be a valid callback, function 'administer account settings' not found or invalid function name in field_ui_admin_access()
Comment #32
steinmb CreditAttribution: steinmb as a volunteer commented