Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Hi,
I have a few suggestions that I think would make this already great module a little better.
1. I think it's great that we can assign user's the ability to only assign certain roles, but it would be nice to have the option to allow user's to only be able to view / edit users which they have the ability to assign a role of. For instance if a user has the privilege of assigning roles X, Y and Z they should only be able to edit / view user's which are assigned one of these three roles.
2. I think that there should be an option to allow only a user to only be assigned one role... basically switching the check boxes to radio buttons. I've modified the code already to do this, but it is a global change and hard coded.. I'm not sure how you would go about integrating an option to turn this on or off in the configuration of role delegation. See code below...
I've never really modified / suggested project updates, so I'm sorry if I'm stepping on anyones toes or breaking the rules.
// Provide a separate radio option for each role but hide those the user has no authority over.
$roles = _role_delegation_roles();
foreach ($roles as $rid => $role) {
if (!user_access(_role_delegation_make_perm($role)) && !user_access('administer permissions')) {
// Places roles the user can't assign in an array for array subtraction.
$remove[$rid] = $role;
}
}
// Removes disallowed names from roles array if the array $remove has been set.
if(isset($remove)){
$roles = array_diff_key($roles,$remove);
}
// Creates radio buttons
$form['roles'] = array(
'#type' => 'radios',
'#default_value' => $default,
'#options' =>$roles,
);
$form['account'] = array(
'#type' => 'value',
'#value' => $account,
);
$form['submit'] = array(
'#type' => 'submit',
'#value' => t('Submit'),
);
drupal_set_title(check_plain($account->name));
return $form;
}
//Updated submit
if (isset($form_state['values']['account']->uid)) {
db_query('DELETE FROM {users_roles} WHERE uid = %d', $form_state['values']['account']->uid);
db_query('INSERT INTO {users_roles} (uid, rid) VALUES (%d, %d)', $form_state['values']['account']->uid, $form_state['values']['roles']);
// Delete the user's menu cache.
cache_clear_all($form_state['values']['account']->uid .':', 'cache_menu', TRUE);
drupal_set_message(t('The roles have been updated.'));
| Comment | File | Size | Author |
|---|---|---|---|
| #9 | 2009-11-12.user_admin_delegation.module.patch | 6.96 KB | martin_q |
| #8 | user_admin_delegation.module.patch | 3.39 KB | martin_q |
| #5 | user_admin_delegation.module.patch | 3.17 KB | martin_q |
| #2 | user_admin_delegation.tar_.gz | 10 KB | qbert72 |
Comments
Comment #1
David Lesieur CreditAttribution: David Lesieur commentedWhile I find your first idea interesting, I think the second one does not belong in Role Delegation: I don't see many needs for it, and it could be implemented through hook_form_alter() in a separate module.
Comment #2
qbert72 CreditAttribution: qbert72 commentedI had a need similar to parkej60's request #1. Basically, I wanted to have groups of users that could manage themselves in an autonomous manner, without allowing them the wide-ranging powers that come with the 'administer users' permission.
I started with the 'Role Delegation' module, which worked like a charm. But we still needed to give our "group admins" the 'administer users' permission, so that they could reach the users list and perform operations on them (resetting passwords, mostly). With the default Drupal setup, these "group admins" could then access any user account, including those "above them" in the role hierarchy and potentially stage a takeover.
I looked at the User Protect module, which seemed like a good solution. I found it a bit overkill with the level of granularity it allowed, yet somewhat underpowered when it came to enforcing a user hierarchy. And I didn't like the idea that I would have to enter my role hierarchy in two different modules. Don't repeat yourself!
So I took the parts of User Protect that I liked and wrote my own little module, User Administration Delegation, that depends on Role Delegation and restricts operations on users according to the Role Delegation's permissions. I've attached it to this message. I'm fairly new at Drupal and I'm not ready to officially publish it and support it, but I thought it could still help people. Maybe the maintainers of Role Delegation will decide it's worthy of inclusion in their module.
A design decisions I should outline: if your user can only assign the 'foo' role, you will be able to edit only users who have just that role assigned to them. A user who has the roles 'foo' and 'bar' will be deemed outside your realm, and you will not be able to edit them.
Thanks!
Comment #3
Feet CreditAttribution: Feet commentedI too am looking for a solution for parkej60's request #1.
qbert72's module works nicely and is very simple for limiting edit.
I would like the same ability to limit the view as the module does in limiting edit.
Can anyone point me in the right direction for limiting the view in admin/user/user? (so users can only see other users that share their roles)
Comment #4
David Lesieur CreditAttribution: David Lesieur commented@qbert72: I have not tried it yet, but your module seems to solve the issue nicely. Because it relates to editing users rather than managing roles, I feel that it does not really belong into Role Delegation even though both modules would be perfect partners. I suggest that you submit User Administration Delegation as a new project on drupal.org when you are ready. I'd be glad to refer to it from Role Delegation's project page.
Comment #5
martin_q@qbert72: I loved your module and it does almost exactly what I needed it to. The attached patch fixes some issues I found:
- Users were not universally able to edit their own account settings. I add a simple check to _user_admin_delegation_can_user_admin_account($user,$account) to see if $user->uid == $account->uid.
- Role Delegation assumes that everyone with 'administer users' permission can access the Edit tab, so it blocks the Roles tab. Since your module limits access to the Edit tab, there is a need to make the Roles tab available to users who have 'administer users' permission but cannot edit some users. I create new functions to decide access rules for the Roles tab.
- Without messing with admin/user/user, which as pointed out in #3 is visible to all who have 'administer users' permission, I wanted more than just an error message when clicking on 'Edit' for a user over whom I do not have editing permission. So, where access to the Roles tab is allowed, I redirect there, and add a warning message saying so. Likewise, where access to the Edit tab is allowed, 'user/%/roles' redirects to there instead of just failing.
- I also discovered what seems to be a bug in tac_lite, which I will report there, but I'll leave the fix in here as well, pending changes to that module. Basically, the second-level 'taxonomy-based access' tab created by tac_lite uses 'administer users' permission rather than 'administer tac_lite' which it should use. So granting 'administer users' to my delegated role managers gave them a tab (albeit a non-functioning one) that they shouldn't have.
I think this would be excellent as a contributed module to extend the brilliant work that Role Delegation does. One thing to consider - because of the reassigning of access callbacks etc, do we need to hard-wire the weight of this module in order to control when it is applied?
Comment #6
martin_qSorry, spoke too soon. Use of drupal_goto to redirect is overruled by use of ?destination= and so if we click on an unallowable edit link on admin/user/user we return simply to admin/user/user. I shall investigate further...
Comment #7
talino CreditAttribution: talino commentedI too think that parkej60's suggestion #1 is an essential feature. I was looking for something like this module for along time, and it does *exactly* what I was looking for. However, the *first* thing I noticed about it was that users belonging to certain roles must not be allowed to be editable.
Just my 2c.
Comment #8
martin_qOh, sorry for forgetting to keep this updated. The patch attached takes care of the 'destination' query - it checks for one, unsets it from the current action, but adds a new query to the URL after re-routing. So we go to the correct tab (edit/roles) even if the wrong one is clicked on or entered directly in the URL, and once finished, we go back to wherever 'destination' is set to.
So with my patch, qbert72's work is, I contend, ready to be made into a module, which would fulfils parkej60's suggestion #1.
Comment #9
martin_qJust found a bug in 'user_admin_delegation':
In the function '_user_admin_delegation_can_user_admin_account', we check user access for each of the individual roles but we fail to check whether the user has 'assign all roles' permission. So
needs to become
See attached patch, which also contains formatting improvements. To be applied to the module file in #2
Comment #10
qbert72 CreditAttribution: qbert72 commentedMy oh my! There has been a lot of activity in this thread since I last checked. As I said, I wasn't ready back then to take on the task of publishing and maintaining a Drupal module. The absence of answer on my part should attest to this. ;-)
martinquested, if you want to publish this module on Drupal.org and become its owner and chief maintainer, you have my permission.
Comment #11
daniel.merino CreditAttribution: daniel.merino commentedHi everybody.
I'm trying to configure a video management portal with Drupal. I need to restrict the content by "channels" (a mixture of content types, roles and views) and I would like to delegate the role administration to several "role managers", so they can add registered users to their channels.
Role Delegation is almost perfect for my purposes, but the role managers can edit the users' fields and even delete them. I think that a role manager only should be able to change the roles of the users and nothing more.
I'm very interested in the previous patch (User Admin Delegation) because I haven't been able to use the module User Protect. It doesn't work for me even uninstalling Role Delegation, I don't know why.
However, I'm using Drupal 5.18 and the patch is for Drupal 6. Could be possible to get a version of this patch for Drupal 5.x? Or maybe to add the patch functionality to the module Role Delegation?
Thanks in advance.
Best regards.
Comment #12
grendzy CreditAttribution: grendzy commented+1 for this. At a minimum, I think the documentation should be updated to remind users that "administer users" is a site-owning permission.
http://drupal.org/security-advisory-policy
This is a huge loophole that basically defeats the purpose of role_delegation.
(but it's still one of my favorites, that gets installed on most all my projects. Thanks!)
Comment #13
awlo CreditAttribution: awlo commentedYou might want to take a look at this module: http://drupal.org/project/administerusersbyrole .
Comment #14
David Lesieur CreditAttribution: David Lesieur commented@awlo: Thanks for the link. From the module's description, that seems to solve the issue. I have added a mention of Administer Users by Role on Role Delegation's page.