Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.It appears that an editor assigned to a domain requires the 'administer domains' permission in order to alter any domain-specific theme settings. But this then grants access to all domain settings, not just to the assigned domain(s).
The use case I'm trying to achieve would allow an editor to choose and configure a theme for his/her assigned domain, without granting access to default or other domain settings. Ideally, a subset of all active themes could be presented to such domain editors, so that the default domain's theme, along with administrative themes could be excluded.
| Comment | File | Size | Author |
|---|---|---|---|
| #19 | domain_owndomain.tar_.gz | 1.23 KB | ergonlogic |
| #17 | domain_admin_own_domains_6.patch | 13.88 KB | ergonlogic |
| #16 | domain_admin_own_domains_5.patch | 8.74 KB | ergonlogic |
| #14 | domain_admin_own_domains_4.patch | 7.98 KB | ergonlogic |
| #12 | domain_admin_own_domains_3.patch | 6.52 KB | ergonlogic |
Comments
Comment #1
agentrickardIf we do this, the problem becomes "how do those users access the domain-specific theme settings?"
Making a new perm is a good idea, but it might not make it in the D6 version.
Comment #2
ergonlogicSo... I don't know if I'm on the right track here or not, but I played with the code a bit to see if I could implement a more general "Administer own domains" permission, while keeping the functionality otherwise identical. I've got a prototype more or less working, but there is at least one bug, and it currently only works for the theme settings. Bear in mind that I have no real coding experience, so please forgive my fumbling attempts here.
I took a brute force approach, creating a new 'administer own domains' permission, stuck a new item ('My Domains') in hook_menu() calling a new function my_domain_view(). This last is a wholesale copy of domain_view() with the SQL hardcoded, as I haven't yet figured out how "module_invoke_all('domainview', 'join')" works, nor how to add my own JOIN and WHERE to filter by $user->uid.
Following a similar approach, I used the 'administer own domains' permission in the domain_theme.module hook_menu(), adding page callbacks to my_domains_theme_page, my_domains_theme_reset and my_domains_theme_settings. I added my_domains_lookup() to generate a $my_domains variable for these new functions.
So, while this successfully limits access to domain theme settings, it appears to limit it to only the first domain found in the domain_editor table, which indicates to me that the bug is in the SQL of the my_domains_lookup() function.
I can't help but think that there's a more elegant way of doing this. I'm also pretty sure that I've violated some Drupal coding and/or naming conventions, patched against a version other than -dev, and probably a couple more mortal sins.
Comment #3
agentrickardThe biggest problem, actually is that the 6.x branch is closed to new features. So a patch would have to be against CVS HEAD for D7.
The idea of 'administer own domains' is a good one, but a major architecture and UI shift.
Comment #4
ergonlogicAh, I see. I've checked out CVS HEAD.
So, if a proper 'administer own domains' permission were to be implemented, what changes would be required from an architectural and UI standpoint?
What if this permission were only added to the admin/build/domain/view menu item? Could changes then be limited to hook_domainlinks(), and hook_domainview()? Perhaps using domain_get_user_domains() to set $domain rather than domain_domains()?
What I'm trying to get at is if the 'administer own domains' permission was limited to only domain-specific functionality, couldn't this be achieved by only ever returning a list of the user's assigned domains (minus the default domain) to all other functions?
Comment #5
ergonlogicSince there's no 7.x version currently, set to 6.x-2.x-dev.
Comment #6
agentrickardWell, I think we'd have to re-architect the permissions of who can view the domain_list() function, and then go from there.
Comment #7
ergonlogicdomain_list()? Do you mean domain_view()?
If that is the case, then this patch should do it.
Comment #8
agentrickardYes, I do. Thanks.
Please format patches according to http://drupal.org/patch/create
Comment #9
ergonlogicIs this better? Sorry for the newbie errors. I appreciate your guidance.
How important is '-p' option for diff?
Comment #10
agentrickardVery, AFAIK. Makes for easier reading.
So this is a start. Now you have to filter the domains and permissions....
Comment #11
ergonlogicOK, so this patch adds filtering the list of domains to just assigned domains should the user only have the 'administer own domains' permission. I don't know that this is the proper approach, nor that it is secure, but it appears to work.
I believe the use-case for 'administer own domains' should probably exclude domain 0. Similarly, while 'edit' makes sense, permission to 'delete' should probably remain with 'administer domains'. I'll work on these next.
Comment #12
ergonlogicThis patch implements the domain_view() UI tweaks mentioned in my previous comment, as well as elaborating the access callback to handle menu arguments passed from domain sub-modules. As far as I can tell, this patch implements all the features discussed above. It requires patching domain sub-modules to have menu items use the domain_admin_access() callback and pass access arguments, if any.
However, all of this only appears to work from the primary domain, and 'access denied' errors are presented whenever I try to access these functions from a subdomain. While this certainly makes sense for the 'administer domains' permission, it seems to me that 'administer own domains' should allow access from the appropriate subdomains.
Comment #13
agentrickardAccess denied may be a simple login cookie sharing issue.
Comment #14
ergonlogicIt looks like you were right, with regards to the domain sub-modules. But for domain_form() (/admin/build/domain/edit/[domain-id]), I had to add the ignore_domain_status_check argument.
This patch also updates the access callbacks in domain_conf.module. I can confirm that this works with domain_theme.module too, but since that module seems to have split off in HEAD, it isn't included in this patch.
AFAIK, this patch works as advertized. Should I go ahead and patch the rest of the sub-modules' access callbacks? I'm not familiar enough with them to know whether an 'administer own domains' makes sense in those contexts.
Comment #15
agentrickardWell, if we are going down this road, then we at least need each module to have its own permission for its configuration, which we would then double-check against 'administer domains' and 'administer own domains'.
Comment #16
ergonlogicLike so, for domain_conf?
Comment #17
ergonlogicOkay, if I understand correctly, the "administer" permissions should be necessary, but not sufficient for the configuration of each of the sub-modules.
So, I've added or modified the permissions in domain_alias, domain_conf and domain_content. The rest (domain_nav, domain_source and domain_strict) don't appear to have any configuration options, and don't add any items to domain_view(), and so haven't been changed.
Comment #18
brt CreditAttribution: brt commentedHi,
i need this functionality as well, and am trying out this patch for d6.
When i call "admin/build/domain/view" as a user assigned to the domain i get this error:
user warning: Column 'uid' in where clause is ambiguous query: SELECT COUNT(*) FROM domain d LEFT JOIN domain_user du ON du.domain_id = d.domain_id LEFT JOIN domain_editor de ON d.domain_id = de.domain_id WHERE uid = 3 AND d.domain_id != 0 in /data/www/d6/server/sites/all/modules/domain/domain.admin.inc on line 75.
user warning: Column 'uid' in where clause is ambiguous query: SELECT d.*, de.*, du.uid FROM domain d LEFT JOIN domain_user du ON du.domain_id = d.domain_id LEFT JOIN domain_editor de ON d.domain_id = de.domain_id WHERE uid = 3 AND d.domain_id != 0 ORDER BY d.domain_id ASC LIMIT 0, 25 in /data/www/d6/server/sites/all/modules/domain/domain.admin.inc on line 75.
I've created a roll "DomainAdmin" and given it the followind permissions:
administer own domains
configure domain settings
configure domain content
access domain settings form
I expected to see the editing-options of the one domain the user is assigned to. Am i missing something?
I have applied the patch to a clean drupal 6.16 installation with domain 6.x-2.4.
Comment #19
ergonlogicTry the attached module instead. It implements the functionality discussed, though there remains an issue with the domain admin page at admin/build/domain.
Basically, additional domain-related modules' links are created, whether the user has the additional permissions or not. Clicking one of these will result in an 'Access Denied' error. This suits my use-case, as I'm not currently using this page. From what I can tell, I'd have to create a custom version of the function that creates this page that checks whether the current user as access to the link, and removes it if not.
If there's interest and agentrickard doesn't have an objection, I could publish this properly as a module, though I think a better name would be in order.
Comment #20
agentrickardFor D6, this needs to be standalone. Probably for D7, too, since I have enough code to maintain.
Hopefully, I can test this next week.
Comment #21
ergonlogicI figured as much from http://drupal.org/node/607824#comment-2675540. I'm happy to maintain it myself, as it's fairly basic.
Any suggestions for a better name would be welcome.
Comment #22
agentrickardIdeas:
Comment #23
ergonlogic@agentrickard: Thanks, I'll give it some thought.
Now that I'll be releasing my little module, my perfectionist streak kicks in :/. So, I should probably only show the permissions if the appropriate sub-module is enabled.
Comment #24
brt CreditAttribution: brt commented@ergonlogic - Thanks, I've started testing "domain_owndomain" and it seems to be exactly what i need. I'll be happy to help out with testing.
One Question: I had a look at the code and called the pages manually, which worked. The links don't appear in the menu yet, do they?
Name: i like "domain_admin"
edit:
changing line 92 to:
return "LEFT JOIN {domain_editor} de ON d.domain_id = de.domain_id WHERE de.uid = ". $user->uid ." AND d.domain_id > 0";
seems to solve the "admin/build/domain" problems for me.
Comment #25
brt CreditAttribution: brt commentedI' not sure if it is possible but it would be great if the domain administrator could manage the users assigned to his domain.
Comment #26
ergonlogic@brt: Have you looked at http://drupal.org/project/domain_user_edit?
Comment #27
agentrickardComment #28
brt CreditAttribution: brt commented@ergonlogic No, I haven't look at "Domain User Edit" yet. Thanks for the Link.
Comment #29
ergonlogicFYI: I recently published a module based on the foregoing discussion: Domain Admin. Feel free to make any feature or support requests there.
Also, the folks behind Domain Administration Helper have contacted me to discuss merging our respective modules to "create a really great admin delegation suite".
@agentrickard: Thank you for your help and patience as I cut my teeth on this issue. Should you decide to include any of this functionality in Domain Access, I'd be happy to roll some patches for you.
@brt: Thanks for the motivation to actually publish this.
Comment #30
agentrickardWe'll look carefully at incorporating this when rolling 7.x.3.0.
Comment #31
julia_g CreditAttribution: julia_g commentedDid it make it into 7.x.3?
Comment #32
agentrickardNo. I haven't seen any patches yet.