Users with 'community' role are able to grant 'trusted' role to others. This is done via Flag module and permissions to 'moderate users' and 'toggle trusted role'.
'Moderate users' permission (I think) makes 'Administer nodes' and 'Administer comments' sub-tabs visible on user profiles. When 'community' user tries to delete either comments or nodes on those sub-tabs, they can't, since they don't have administer content permissions.
'Administer nodes/comments' sub-tabs should not be accessible for users with 'community' role at all. Per the upcoming changes to the users role progression (#2386793: Modify user role progression on Drupal.org), they also aren't supposed to be able to block users.
So we need some solution here which would still let them give 'trusted' role to others.
Original report by @naveenvalecha
I am able to access the administer xy tabs and can trigger the delete process which results in a bogus success message.
Comment | File | Size | Author |
---|---|---|---|
#8 | remove-community-role-administers-tab-2394993-8.patch | 1.16 KB | naveenvalecha |
Comments
Comment #1
dddave CreditAttribution: dddave commentedQuick clarification: Naveen is able to access the administer xy tabs and can trigger the delete process which results in a bogus success message (if I understand our mail contact correctly).
Comment #2
naveenvalechaYes dddave!
Comment #3
naveenvalechaUpdated issue summary.
Comment #4
tvn CreditAttribution: tvn commentedThanks for reporting this permissions bug, moving to Customizations so we could deal with it.
Comment #5
dddave CreditAttribution: dddave commentedCould we grant Naveen the necessary rights maybe?
Comment #6
naveenvalecha@dddave,
Already done.Thanks!
@tvn,
After checking the code found that we just have to remove the community role id from http://cgit.drupalcode.org/drupalorg/tree/drupalorg/views/drupalorg_admi... and http://cgit.drupalcode.org/drupalorg/tree/drupalorg/views/drupalorg_admi...
Its small nutpick for this one.Lemme know the role id of the 'Community' role.I'll love to provide a patch for the same.
Thoughts ?
Comment #7
tvn CreditAttribution: tvn commentedGood catch, naveen. Community role is 7. 3 and 4 are administrator and webmaster, let's keep these two.
Comment #8
naveenvalecha@tvn,
Thanks! for confirming the same.
Patch attached.
Comment #9
tvn CreditAttribution: tvn commentedI applied the patch at https://roles-drupal.redesign.devdrupal.org. Seems to be working well. Thank you!
Comment #11
drummLooks good.
Comment #12
drummNow deployed.