I have given the Role 'level2' the permissions: 'administer users' and 'edit users with role level2'

From a user account with Role 'level2', I was able to edit users who were not assigned any role (Not working as expected).

However, if I were to give a user the Role 'level5', 'level2' could not edit 'level5' (works as expected).



Fanyalla’s picture

Status:Active» Needs review
new1.01 KB


One thing that might be disturbing is that every user of a Drupal site has by default the role "authenticated user".

I made a patch that adds the permissions :

  • delete users with role authenticated user
  • edit users with role authenticated user

But you have to be carefull, because all users have this role. So who has the permission "delete users with role authenticated user" can delete all users on the site (except user with uid 1).

I do not know what the maintainer of this module thinks about that but I'm attaching the patch if someone is interested.

Fanyalla’s picture

Status:Needs review» Active

Well, the patch does not work ... because in fact if someone tries to edit a user with role "authenticated user" and "admin" for example, he or she must have the edit permission for both of the roles.

I do not know if this patch was a good idea.

I think we should leave the module as it is and assign every user at least one default role other than "authenticated".

Bartezz’s picture

Fanyalla, I think it isn't bad at all that one should have permissions to edit both roles. What if you assign an admin permissions to edit users with the role 'groupie' but he/she should not be able to edit users with the role 'artists'.

Now if you have user called LadyGaGa which has both a groupie (just heard on the radio she's extremely obessed with Madonna) and an artist role then the admin could edit LadyGaGa which he/she shouldn't be allowed to unless he/she has permissions to edit both groupies and artists.

Similar goes for authenticated users... so I'd love to see your patch!


smokris’s picture

Assigned:Unassigned» smokris
Status:Active» Fixed

Thanks, CollinY2K and Fanyalla. I took a slightly different approach to #1 — I created two new permissions: 'edit users with no custom roles' and 'delete users with no custom roles', since the patch on #1 would require all editor users to have that permission (since all users have the 'authenticated user' role). My approach allows a little more flexibility (e.g., so you could set up an editor user who can edit users who have a certain custom role, but cannot edit users who have no custom roles).

And thanks, Bartezz, for the explanation about requiring editor user to have aggregate permissions in order to edit/delete; that's exactly my rationale.

Committed to 6.x-1.x-dev as http://drupalcode.org/project/administerusersbyrole.git/commit/d4c59d8.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.