Users with 'community' role are able to grant 'trusted' role to others. This is done via Flag module and permissions to 'moderate users' and 'toggle trusted role'.

'Moderate users' permission (I think) makes 'Administer nodes' and 'Administer comments' sub-tabs visible on user profiles. When 'community' user tries to delete either comments or nodes on those sub-tabs, they can't, since they don't have administer content permissions.

'Administer nodes/comments' sub-tabs should not be accessible for users with 'community' role at all. Per the upcoming changes to the users role progression (#2386793: Modify user role progression on Drupal.org), they also aren't supposed to be able to block users.
So we need some solution here which would still let them give 'trusted' role to others.

Original report by @naveenvalecha

I am able to access the administer xy tabs and can trigger the delete process which results in a bogus success message.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

dddave’s picture

Quick clarification: Naveen is able to access the administer xy tabs and can trigger the delete process which results in a bogus success message (if I understand our mail contact correctly).

naveenvalecha’s picture

Yes dddave!

naveenvalecha’s picture

Title: Grant naveenvalecha the spam fighter role with the ability to "delete spam" » Not have the ability to "delete spam"
Issue summary: View changes

Updated issue summary.

tvn’s picture

Title: Not have the ability to "delete spam" » Users with 'Community' role should not see 'Administer comments' and 'Administer nodes' sub-tabs of user profiles
Project: Drupal.org site moderators » Drupal.org customizations
Version: » 7.x-3.x-dev
Component: Spam » Code
Issue summary: View changes

Thanks for reporting this permissions bug, moving to Customizations so we could deal with it.

dddave’s picture

Could we grant Naveen the necessary rights maybe?

naveenvalecha’s picture

@dddave,
Already done.Thanks!
@tvn,
After checking the code found that we just have to remove the community role id from http://cgit.drupalcode.org/drupalorg/tree/drupalorg/views/drupalorg_admi... and http://cgit.drupalcode.org/drupalorg/tree/drupalorg/views/drupalorg_admi...
Its small nutpick for this one.Lemme know the role id of the 'Community' role.I'll love to provide a patch for the same.
Thoughts ?

tvn’s picture

Good catch, naveen. Community role is 7. 3 and 4 are administrator and webmaster, let's keep these two.

naveenvalecha’s picture

Status: Active » Needs review
FileSize
1.16 KB

@tvn,
Thanks! for confirming the same.
Patch attached.

tvn’s picture

Status: Needs review » Reviewed & tested by the community
Issue tags: +drupal.org account creation

I applied the patch at https://roles-drupal.redesign.devdrupal.org. Seems to be working well. Thank you!

  • drumm committed db2204b on 7.x-3.x authored by naveenvalecha
    Issue #2394993 by naveenvalecha: Users with 'Community' role should not...
drumm’s picture

Status: Reviewed & tested by the community » Fixed
Issue tags: +needs drupal.org deployment

Looks good.

drumm’s picture

Issue tags: -needs drupal.org deployment

Now deployed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.