This patch does not let you grant a permission you do not have access to. It simply removes the checkbox from the permission administer screen and takes care that otherwise checked checkboxes remain so.

CommentFileSizeAuthor
#1 tiered_user_perm_0.patch2.37 KBchx
tiered_user_perm.patch2.08 KBchx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

chx’s picture

chx CreditAttribution: chx commented
FileSize
tiered_user_perm_0.patch2.37 KB

Lots o' cleanup, removed empty modules and stuff. We do not checkboxes but invidual checkbox elements so it's actually cleaner than the original.

markus_petrux’s picture

markus_petrux CreditAttribution: markus_petrux commented

If your patch that adds the ability to sort module_list() was committed you could avail this oportunity to sort this list alphabetically.

Both are great things :-)

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm commented
Status: Needs review » Needs work

I would like to see this disable checkboxes instead of remove.

Steven’s picture

Steven CreditAttribution: Steven commented
Version: x.y.z » 6.x-dev
Paul Natsuo Kishimoto’s picture

Paul Natsuo Kishimoto CreditAttribution: Paul Natsuo Kishimoto commented

Seconding drumm's suggestion.

Crell’s picture

Crell CreditAttribution: Crell commented

Whether disabling or removing such checkboxes, it should be documented at the top of the page lest people get seriously confused.

Note that this could cause other workflow issues. For instance, you don't need uid 1 permission to enable a module. However, if that module offers new permissions, you will need to switch to uid 1 in order to enable that permission for anyone (since only uid 1 has a permission automagically). That's even more of an issue then with modules that have dynamic permissions, like CCK. CCK creates a new set of permissions for every node type you create. If you create a new node type, you then again need to switch back to uid 1 before you can create a node of that type because you need to give yourself that permission.

In effect, this would render a lot of administrative permissions effectively useless except for uid 1, because of the extra permission step involved. The only way around that I see is to have the dreaded "wheel" or "auto-admin" group concept so that some accounts can have uid 1-ish permissions, or to have both "can assign permissions" and "can assign any permission" permissions.

chx’s picture

chx CreditAttribution: chx commented

Well, then modules being aware that they are adding new permission (on enable, on node type creation or whatever) shall grant it to the current user.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
CreditAttribution: webchick commented

Hm. That gets tricky too though... if I'm user 34 and a member of the roles "authenticated," "editor," and "site administrator," I obviously don't want all permissions for that module to go to the editor or authenticated roles. And checking for if (user_access('blah permissions') || $user->uid == $module->uid) sounds kind of clunky... hm...

Crell’s picture

Crell CreditAttribution: Crell commented

All I can think of here would be to make access to the permission edit page based on its own permission, in which case you can only change permissions you have, or on the enable-modules permission, in which case you get access to change everything. That feels a bit sloppy, but less so than "if it's the user that enabled it" logic.

BioALIEN’s picture

BioALIEN CreditAttribution: BioALIEN commented

Very interesting discussion. Subscribing.

Jomel’s picture

Jomel CreditAttribution: Jomel commented

Well we already have the can assign any permission permission, this bug should just be about adding a can assign own permissions to others permission.
That way the people who have access to the server and might be uploading modules can be given the "can assign any permission", so can sort out the permissions for new modules etc.
Meanwhile, slightly less trusted "moderator-type" people can be allowed to assign permissions they already have to people, hence helping to manage the userbase (similarly it would be useful if they could assign roles to users on condition that those roles contain only a subset of their permissions, but I guess that's a new bug).

chx’s picture

chx CreditAttribution: chx commented
Version: 6.x-dev » 7.x-dev
Priority: Critical » Normal
RobLoach’s picture

RobLoach
he/him
CreditAttribution: RobLoach commented

....Interesting.

mlncn’s picture

mlncn CreditAttribution: mlncn commented

Found this thread looking for a module to do exactly what Jomel suggested. This comes up all the time when building sites for others. (There is no solution in contrib yet?) As a developer you want to give client "site administrators" as much power as you think you can without their a) being confused or b) destroying their own site.

"If I am in a role with a certain permission I can give that permission to other roles" seems like a very sensible approach to safely delegating a lot of power... and, of course, making that a permission itself!

Maybe the whole thing does belong in contrib. Note that if we do try something like chx's original patch, having an administrator role in core would help greatly by enabling modules to automatically give most (but not all) permissions to this role, it could take care of the trickiness webchick brings up in #8...

sun.core’s picture

sun.core CreditAttribution: sun.core commented
Version: 7.x-dev » 8.x-dev
ceardach’s picture

ceardach CreditAttribution: ceardach commented

I just committed additions to the pwn module to additionally restrict granting of roles based, again, on which permissions the user has. However, I agree that functionality like this belongs in core. The PWN module separates "administer permissions" from the ability to share permissions, either through the permissions matrix or by granting roles that contain permissions the editor has themselves.

chx’s picture

chx CreditAttribution: chx commented
Assigned: chx » Unassigned
Issue summary: View changes

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.