It looks like, that if I have roles user, superuser and admin and if I restrict admin role from being changed by the superuser who has access to user management, it still can deactivate the admin user even though it doesn't have the "bypass access restrictions" enabled.

Comments

kingofsevens’s picture

kingofsevens CreditAttribution: kingofsevens commented

I believe this also collides with two other modules seperately, Role Assign and Role Delegation modules.

jamienovick’s picture

jamienovick CreditAttribution: jamienovick commented
Issue summary: View changes

Just to add my comment here also:

Sven,

I know its been a long time since you've looked at this module but having reviewed the above I think bencorpo's point currently holds true.

Whilst you are correct that your module only interacts with the permissions and not the roles, you need to look at both together to get the correct workflow.

The issue is that in order to use your module and allow a user to manage a subset of roles and permissions, as far as I understand it, you still need to grant them the "Administer permissions" permission.

This permission overrules the limits that are set in place by the Roleassign and Role delegation modules. i.e. with this permission (which you module needs) the other modules do not work and the user can assign themselves the administrator role (and then see all the permissions).

Otherwise its a great idea for a module!

Has anyone out there patched this already otherwise will look at getting this done?

Thanks

jamienovick’s picture

jamienovick CreditAttribution: jamienovick commented

this module seems to work without that issue: https://www.drupal.org/project/subpermissions