Problem/Motivation

RoleDelegationAccessCheck doesn't seem to work as expected, define the rules, fix the code and add new tests.

Proposed resolution

RoleDelegationAccessCheck is designed for checking access to /user/%/roles which allows users without normal admin permissions but will a role such as "assign content editor role" to manage user roles. This page is in addition to editing roles at /user/%/edit.

Proposal

  1. Currently you can't access this page if you can "access user profiles". This makes no sense, lets remove it.
  2. Currently you can't view this page if you can "administer users". We don't need to check this explicitly but it should give you access.
  3. Currently, you cannot edit this page even when you have a permission like "assign custom role", this is a bug, fix and add tests.
  4. Currently you can view this page if you have "administer permissions". Lets remove this because with core, you can only edit permissions if you also have "administer users" to edit via the user page, if we allowed access based on this permission, installing the module would open up a roles interface to those users.

Remaining tasks

User interface changes

API changes

Data model changes

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

benjy created an issue. See original summary.

benjy’s picture

Version: 7.x-1.x-dev » 8.x-1.x-dev
benjy’s picture

Issue summary: View changes
benjy’s picture

Issue summary: View changes
benjy’s picture

Issue summary: View changes
benjy’s picture

Status: Active » Needs review
FileSize
4.57 KB

Patch with tests.

benjy’s picture

Now with even less code.

Sam152’s picture

Status: Needs review » Reviewed & tested by the community

Looks good.

+++ b/role_delegation.routing.yml
@@ -4,6 +4,6 @@ role_delegation.edit_form:
     _controller: '\Drupal\role_delegation\Controller\RoleDelegationController::editForm'

No form route enhancer?

benjy’s picture

Status: Reviewed & tested by the community » Fixed

  • benjy committed 4349f64 on 8.x-1.x
    Issue #2691425 by benjy, Sam152: Do a security audit on...
benjy’s picture

Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.