Problem/Motivation
There is 'Administer permissions' permission. It does not mention that it grants permission to manage user roles.
Proposed resolution
Change the title of 'Administer permissions' to 'Administer roles and permissions'.
Original report by @dpi
administer permissions is arguably the most important permission on the site. Roles who have this permission have keys to the whole kingdom; they can assign themselves any permission. This permission does not currently have a description. It deserves one. A description which communicates that roles with this permission effectively have full control of the site.
A description for admin permissions will help to contrast against the administer users permission. administer users grants almost all control over users, except role assignment and permission grants.
For reference, description for admin permissions:
Manage all user accounts. This includes editing all user information, changes of email addresses and passwords, issuing emails to users and blocking and deleting user accounts.
Comment | File | Size | Author |
---|---|---|---|
#20 | drupal-permissions.JPG | 19 KB | Krzysztof Domański |
#16 | interdiff.2847808.14-16.txt | 1.19 KB | longwave |
#16 | 2847808-16.drupal.Add-permission-description-to-administer-permissions.patch | 1.61 KB | longwave |
Comments
Comment #2
dpiProposed description for administer permissions:
Comment #3
jibranYeah, new description makes sense.
Comment #4
yoroy CreditAttribution: yoroy at Roy Scholten commentedNot sure we need two warnings with this description. It already gets "Warning: Give to trusted roles only; this permission has security implications." added to it. All the other permissions that have this warning do not elaborate on what those implications might be, we probably don't have to do that here either.
Would something like "Manage roles, set their permissions and assign them to user accounts." be enough?
Comment #5
xjmThe extra description for this permission was removed on purpose in #620446: Rewrite permission titles and descriptions.
Also, this patch will conflict with the changes proposed in #2846365: [regression] User roles field access is inconsistent, users with 'administer users' permission can gain full access. I would almost close it as a duplicate of that issue, which is the one addressing the actual problem with this permission. Better to fix than to explain what's broken. :)Edit: sorry, disregard that paragraph; it was based on a misunderstanding.Comment #6
dpiI don't see how this is the case. That issue had a problem because someone used the wrong permission, because they did not know which permission to use.
Theres no problem or 'broken'-ness, just role assignment is not defined well. On the surface, it would seem correct that either administer users or administer permissions would be relevant permissions.
Comment #7
dpi#620446: Rewrite permission titles and descriptions removed the description because "Currently a lot of permission descriptions say the same as their titles", and it was true at the time: "Manage the permissions assigned to user roles.".
But this permission does more than manage permissions.
I think its important that the description at least mention role assignment.
Comment #8
xjmYeah sorry, this is my mistake. I misread the patch and issue. Edited my past comment to correct this.
Can we simply change the user-facing title of the permission to "Administer roles and permissions", instead of adding a lengthy description? It already has the "Warning" flag.
Comment #12
spitzialist CreditAttribution: spitzialist at Unic commentedComment #13
aburrows CreditAttribution: aburrows at DigiDrop commentedWorking on this at DistributedSprintUK18.
Comment #14
aburrows CreditAttribution: aburrows at DigiDrop commentedI have attached a patch for this.
Comment #16
longwaveUpdated test to match new permission name.
Comment #20
Krzysztof DomańskiLooks good. Roles and permissions are the basic concept of Drupal. Changing the title to 'Administer roles and permissions' seems sufficient. This means that a user with this permission can also manage user roles. An additional description is not necessary.
Comment #22
catchCommitted 191df98 and pushed to 9.1.x. Thanks!
Comment #24
headstartcms CreditAttribution: headstartcms commentedNeed advise. I found issue on the the user permission access. All user permissions won't work when i try to customized the permissions. The check list multiple icons won't able to functions. The save button won't make changess on the user permissions.