Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
I like the operation that allows me to add/remove role(s) for multiple users. The only problem is that anyone I allow to do this is able to add/remove any role.
I would like to have this operation determine the roles to make available for this operation based on whether the role_delegation module is enabled.
Comment | File | Size | Author |
---|---|---|---|
#8 | views_bulk_operations-integration_with_role_delegation-777836-2.patch | 1.22 KB | danielmrichards |
#1 | user_roles.action.inc_.patch | 656 bytes | wdouglascampbell |
Comments
Comment #1
wdouglascampbell CreditAttribution: wdouglascampbell commentedThe attached patch makes the modifications necessary to implement this feature.
Comment #2
infojunkie CreditAttribution: infojunkie commentedCommitted in the latest dev. Thanks!
Comment #4
jpdaley CreditAttribution: jpdaley commentedI am using the most recent dev release views_bulk_operations-6.x-3.x-dev and also have role_delegation-6.x-1.3. When I use VBO to enable bulk update on roles anyone with access to the view can assign ANY role (not just those assigned by role delegation) so I do not think the patch is working (if it is indeed included with the latest dev).
Comment #5
infojunkie CreditAttribution: infojunkie commentedYes, 6.x-3.x-dev is behind 6.x-1.x-dev. I am planning to merge the two branches to avoid these situations in the future.
Comment #6
infojunkie CreditAttribution: infojunkie commentedVBO 6.x-1.10-beta2 and above support both Views 2.x and 3.x.
Comment #8
danielmrichards CreditAttribution: danielmrichards commentedApologies for resurrecting a 6 year old issue! But it appears that this is still a problem with the 7.x-3.x branch; in that it is still possible to circumvent the restrictions put in place by the role_delegation module. A user is able to bulk assign/remove any role even if they have not been given permission to do so.
Attached is a patch for the 7.x-3.x branch of this module, integration with version 7.x-1.1 of role_delegation.
Comment #9
danielmrichards CreditAttribution: danielmrichards commentedUpon further consultation with https://www.drupal.org/u/mhz I think a cleaner approach will be to patch the Role Delegation module itself. See my issue thread - https://www.drupal.org/node/2708317.
Comment #10
ron_s CreditAttribution: ron_s commented@danielmrichards, what is the status of this patch? I read your thread at #2708317, and seems as though the issue has been moved back over here. Also the issue you referenced (https://www.drupal.org/node/2564855) doesn't seem to be anything more than a restatement of the issue.
I consider this to be a fairly significant problem. We recently had a case where an editor started assigning roles to which the person did not have access, and finally tracked down they were using the VBO admin view to apply roles that were being blocked by Role Delegation.
I would think most people would assume that configuring Role Delegation will change the properties everywhere, but in fact it does not.
The patch in #8 seems like a reasonable approach, and looks like a similar patch was committed to 6.x. Do you not consider it to be the right method after your conversation with @benjy?
Comment #11
danielmrichards CreditAttribution: danielmrichards commentedHi @ron_s. In terms of functionality the patch i submitted in #8 works fine, however as you can see it has not been merged at this stage.
I also had a bit of a change of heart, after consulting with my dev team, that using
module_exists
checks in this module to resolve an issue caused by a different module is not the cleanest solution. Which is why I decided to open the issue with Role Delegation over at #2708317. Unfortunately @benjy does not agree with the approach I am taking and has left the patch un-merged.So I leave it down to the maintainers of VBO (@bojanz or @infojunkie) to decide on the status of this patch. As for Role Delegation you'll need to take the issue up with @benjy.
Comment #12
ron_s CreditAttribution: ron_s commentedActually looked at it a bit more, and the patch doesn't really seem to work the way I would expect. We have VBO, Admin Views, and Role Delegation, and the only way I could solve was by adding an extra condition in the Roles Delegation action form.
Take a look at the patch I created on https://www.drupal.org/node/2708317 and let me know if this fits what you're trying to accomplish, or if we're potentially trying to fix different issues. Thanks.
Comment #13
ron_s CreditAttribution: ron_s commentedActually I just realized you're using "Modify user roles" in the selected bulk operations, while I'm using "Delegate roles".
Maybe using "Delegate roles" plus the patch I included in #2708317 will fix your issue? I think a major part of the problem is each module is using its own role-controlling actions, and Administration Views by default uses the VBO option. I cloned the Admin View, and switched from using "Modify user roles" to "Delegate roles", and that put us on the right path.