In several setups, one wants to grant the 'administer users' permission to certain roles (for example to forum admins), however without allowing those users to change permissions on the 'access control' page, and without allowing them to change the users' roles (so that they can't, for example, promote themselves to admin).

Therefore, I propose to introduce a new permission (I called it 'administer access control', patch attached), to split up the existing 'administer users' permission into 2 permissions.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Dries’s picture

Status: Needs review » Fixed

Committed to HEAD. Thanks.

kloomis’s picture

Category: feature » bug
Priority: Normal » Critical

I tried to apply the patch to Drupal 4.6 using the following command
patch user.module < administer_access_control.patch
and I received the following error messages
hunk#4 failsed at 669
hunk#5 succeeded at 1074 wuth fuzz 1 (offset -67 lines)
hunk #6 failed at 1119
2 out of 6 hunks failed.
saving rejects to file user.module.rej

tamarian’s picture

Kloomis, this patch is for cvs, not 4.6 :)

killes@www.drop.org’s picture

Category: bug » feature
Priority: Critical » Normal

This patch was not intended for 4.6

kloomis’s picture

Oh. Can it be gotten for 4.6? Will it be made available in the future?

Anonymous’s picture

Status: Fixed » Closed (fixed)
DriesK’s picture

Version: » 4.6.3
Status: Closed (fixed) » Needs review
FileSize
1.91 KB

The previous patch allowed only users with the 'administer access control' patch to block users, which doesn't make sense. The attached patch is to be applied after the previous patch, and allows users with the 'administer users' permission to block users.

DriesK’s picture

Version: 4.6.3 » x.y.z
chx’s picture

Status: Needs review » Needs work

Blocking is one thing -- and roles are quite another. roles need administer access control.

DriesK’s picture

Boy oh boy. I clearly wasn't thinking. I'll make a new patch.

DriesK’s picture

Status: Needs work » Needs review
FileSize
2 KB

Here it is.

chx’s picture

Status: Needs review » Needs work

I am not 100% sure as I do not have the time to test, but I think we just discovered a problem in the original patch... are you sure I can't just insert the roles form element into HTML and have fun from there? I saw no user_edit_execute -- if there would be one, it'd be great...

DriesK’s picture

Status: Needs work » Needs review
FileSize
2.63 KB

What should be handled by user_edit_execute() is currently handled by user_edit(), as it was in the pre-forms api era. As almost all user.module functions, this function hasn't been updated yet to the execute model. I don't have time to do this update, but the attached patch should cover the problem you mentioned I think. It can be transferred to user_edit_execute later.

chx’s picture

Status: Needs review » Needs work

Looks good, but can be simplified -- I am not sure it's necessary to play array_intersect(array_keys) when a mere isset would do.

DriesK’s picture

Status: Needs work » Needs review
FileSize
2.6 KB

I had also thought about that, and the array_intersect approach looked more extensible to me (to potentially add more keys later), but if you like isset better: here it is :-)

chx’s picture

Status: Needs review » Reviewed & tested by the community

There is no later. Next time someone touches this it'll be execute model conversion and then you need no checking for rogue elements.

Dries’s picture

Status: Reviewed & tested by the community » Fixed

Committed to HEAD. Thanks.

Anonymous’s picture

Status: Fixed » Closed (fixed)