I like the operation that allows me to add/remove role(s) for multiple users. The only problem is that anyone I allow to do this is able to add/remove any role.

I would like to have this operation determine the roles to make available for this operation based on whether the role_delegation module is enabled.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

wdouglascampbell’s picture

FileSize
656 bytes

The attached patch makes the modifications necessary to implement this feature.

infojunkie’s picture

Version: 6.x-1.9 » 6.x-1.x-dev
Status: Active » Fixed

Committed in the latest dev. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

jpdaley’s picture

Status: Closed (fixed) » Active

I am using the most recent dev release views_bulk_operations-6.x-3.x-dev and also have role_delegation-6.x-1.3. When I use VBO to enable bulk update on roles anyone with access to the view can assign ANY role (not just those assigned by role delegation) so I do not think the patch is working (if it is indeed included with the latest dev).

infojunkie’s picture

Version: 6.x-1.x-dev » 6.x-3.x-dev

Yes, 6.x-3.x-dev is behind 6.x-1.x-dev. I am planning to merge the two branches to avoid these situations in the future.

infojunkie’s picture

Status: Active » Fixed

VBO 6.x-1.10-beta2 and above support both Views 2.x and 3.x.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

danielmrichards’s picture

Version: 6.x-3.x-dev » 7.x-3.x-dev
Issue summary: View changes
Status: Closed (fixed) » Needs review
FileSize
1.22 KB

Apologies for resurrecting a 6 year old issue! But it appears that this is still a problem with the 7.x-3.x branch; in that it is still possible to circumvent the restrictions put in place by the role_delegation module. A user is able to bulk assign/remove any role even if they have not been given permission to do so.

Attached is a patch for the 7.x-3.x branch of this module, integration with version 7.x-1.1 of role_delegation.

danielmrichards’s picture

Upon further consultation with https://www.drupal.org/u/mhz I think a cleaner approach will be to patch the Role Delegation module itself. See my issue thread - https://www.drupal.org/node/2708317.

ron_s’s picture

@danielmrichards, what is the status of this patch? I read your thread at #2708317, and seems as though the issue has been moved back over here. Also the issue you referenced (https://www.drupal.org/node/2564855) doesn't seem to be anything more than a restatement of the issue.

I consider this to be a fairly significant problem. We recently had a case where an editor started assigning roles to which the person did not have access, and finally tracked down they were using the VBO admin view to apply roles that were being blocked by Role Delegation.

I would think most people would assume that configuring Role Delegation will change the properties everywhere, but in fact it does not.

The patch in #8 seems like a reasonable approach, and looks like a similar patch was committed to 6.x. Do you not consider it to be the right method after your conversation with @benjy?

danielmrichards’s picture

Hi @ron_s. In terms of functionality the patch i submitted in #8 works fine, however as you can see it has not been merged at this stage.

I also had a bit of a change of heart, after consulting with my dev team, that using module_exists checks in this module to resolve an issue caused by a different module is not the cleanest solution. Which is why I decided to open the issue with Role Delegation over at #2708317. Unfortunately @benjy does not agree with the approach I am taking and has left the patch un-merged.

So I leave it down to the maintainers of VBO (@bojanz or @infojunkie) to decide on the status of this patch. As for Role Delegation you'll need to take the issue up with @benjy.

ron_s’s picture

Actually looked at it a bit more, and the patch doesn't really seem to work the way I would expect. We have VBO, Admin Views, and Role Delegation, and the only way I could solve was by adding an extra condition in the Roles Delegation action form.

Take a look at the patch I created on https://www.drupal.org/node/2708317 and let me know if this fits what you're trying to accomplish, or if we're potentially trying to fix different issues. Thanks.

ron_s’s picture

Actually I just realized you're using "Modify user roles" in the selected bulk operations, while I'm using "Delegate roles".

Maybe using "Delegate roles" plus the patch I included in #2708317 will fix your issue? I think a major part of the problem is each module is using its own role-controlling actions, and Administration Views by default uses the VBO option. I cloned the Admin View, and switched from using "Modify user roles" to "Delegate roles", and that put us on the right path.