Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently it is only possible to delegate roles to existing users. If you create a new user the role tab (or radio buttons) is missing – except the user has the "administer permissions" permission, which bypasses the role delegation module.
Steps to reproduce on http://simplytest.me/:
- Login as admin
- Create new role "editor"
- Grant role "editor" permission to delegate role "editor"
- Grant role "editor" permission to administer users
- Login as "editor"
- Create a new user
You will notice, that you are not able to delegate a role in the first step. You have to assign it afterwords.
Correct me, if I'm wrong :-)
Comment | File | Size | Author |
---|---|---|---|
#28 | role-delgation-Drupal 8.6.x.png | 110.52 KB | Prashant.c |
#28 | role-delegation.png | 154.25 KB | Prashant.c |
#27 | role-delegation-user-forms-2811851-27.patch | 16.21 KB | geertvd |
#27 | interdiff-2811851-22-27.txt | 1.73 KB | geertvd |
#20 | role-delegation-user-forms-2811851-20.patch | 14.43 KB | kevin.dutra |
|
Comments
Comment #2
pminfCorrected grammar
Comment #3
benjy CreditAttribution: benjy at PreviousNext commentedManipulating the existing user/register form and user/edit forms was initially left out of the D8 port when I committed it because it added quite a bit of complexity and the code was messy. Having it on a separate tab allowed a standard way to manipulate the roles.
I can see why this feature would be useful though for UX, happy to review patches here if someone wants to put it forward.
Comment #4
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedComment #5
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedHere's a first stab. Effectively, this patch prevents any attempts to adjust roles that you don't have access to and tweaks the user forms to visually align with that.
It might make sense to deny access to the Roles tab if you have access to edit the user (since it's redundant), but I didn't take it that far with this patch.
Comment #7
jojonaloha CreditAttribution: jojonaloha at Metal Toad commentedAttached is a new patch that uses the "assign all roles" permission instead for the check. It also fixes an issue where this doesn't work when creating a user, only when editing existing users.
Comment #8
jojonaloha CreditAttribution: jojonaloha at Metal Toad commentedComment #10
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedHmm, I don't think that would work. The user forms grant access to the roles field only if you have the
administer permissions
permission.So if we don't alter the form for a user with
assign all roles
, then they will not have access to the field.Also, just as a performance thing, removing the check for the
administer permissions
permission means that we're doing unnecessary processing to accumulate the delegated roles. (A user with that permission gets access to all roles out of the box, from core.)Comment #11
jojonaloha CreditAttribution: jojonaloha at Metal Toad commentedAlso just discovered that this patch breaks
drush urol
. So you cannot assign roles to users from drush because of thehook_user_presave()
Comment #12
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedWell, sort of. You can still add roles via Drush, but since Drush operates as an anonymous user by default, you would have to specify an appropriate user to run as, i.e.
drush --user=webmaster urol ...
Admittedly, it's not as user friendly because you don't get an error back from that command when it doesn't add a particular role.
The reason I opted to use the presave hook is that we need to be able to limit the roles for more than just the UI (i.e. user form), which is what Role Delegation has traditionally done. If we target UI only, then it leaves security loopholes for users to edit roles they shouldn't via other mechanisms, like web services. So I think the Entity API is still the way to go, but the approach may still need some massaging. The ideal solution would be to somehow actually have proper access control, but access control only really extends to the field level, not "individual options on a field".
Comment #13
jojonaloha CreditAttribution: jojonaloha at Metal Toad commentedThe reason for the presave hook makes sense to me, but I think it does cause an API change unrelated to the original request.
Here is a slightly different approach, very similar to how the Role tab works, in fact most of the code was stolen from
RoleDelegationSettingsForm
. It does not do access checking on submit, only on the form alter. This is just like what happens inRoleDelegationSettingsForm::submitForm()
.I also switched back to "administer permissions" like @kevin.dutra mentioned in #10
Comment #14
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedYeah, I see where you're coming from. I wonder if there's a way that we could introduce a faux field via the Field API so that it would be available to both the UI and any other mechanism. I'd have to double check to be sure, but I would imagine there's a way to define a field that has no storage or display.
Comment #15
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedI'm actively working on the field based approach. Hopefully I should have something today, including some test coverage.
Comment #16
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedWell, it ended up being a bit more involved than I would have hoped, but I think this basically gets us to where we want to be. This patch uses a "computed" base field, in lieu of just a form element, so that a web service would be able to use the field too. For an end user, the UI should be the same. Additional test coverage has been added too. And we should be without the weird side effects of the last attempt at using the Entity API. ;)
Comment #18
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedIncluding all the changes might help...
Comment #20
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedComment #21
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedHmm, looks like there's one scenario where things don't quite work -- when submitting a request via the REST API and omitting the
role_change
field.Comment #22
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedThis should cover that last base.
Comment #23
kevin.dutra CreditAttribution: kevin.dutra at Workday, Inc. commentedComment #24
gnuschichten CreditAttribution: gnuschichten at ETECTURE GmbH commentedI applied patch #22, now I can assign user to selected roles, which in my configuration exclude "administrator", but I am able to add on the people page the excluded role "administrator" via action links.
Comment #25
ryan.gibson CreditAttribution: ryan.gibson at Mediacurrent commentedThe bug from #22 is already reported in https://www.drupal.org/node/2862360 and actually happens regardless of whether this patch is applied or not. That being said, I've applied this patch and while it works, the role field is duplicated and appears both in a separate tab, but below the account fields. This may be specific to my installation, but that's the behavior I'm getting.
Comment #26
Sutharsan CreditAttribution: Sutharsan at LimoenGroen commented1. The roles form element is placed below the "Notify user of new account" checkbox (as @ryanissamson already reported)
2. The 'Roles' label is not translated.
Comment #27
geertvd CreditAttribution: geertvd at Geert van Dort commentedFixed the untranslated "Roles" label.
Placing the new roles field above the "Notify user of new account" field is tricky since these fields don't have a
#weight
set, for now I just placed the field inside the "account" group but I'm not sure how to make it appear in the right order without looping over all the fields and setting a#weight
for each.Comment #28
Prashant.cPatch #27 seems to be fixing the issue for "Roles" section, which was not appearing before applying the patch.
I also agree with #26 that "Roles form" is appearing below the "Notify user of new account" checkbox. Ideally it should be above this checkbox.
However great work with the patch, applies cleanly and works really nice..!!!
Comment #29
Sophie.SKMarking this as RTBC.
The patch applies cleanly and works well. Not sure how much of a blocker it is to have it in the "wrong place" on the user form. I guess if it's that much of an issue (and the field weights can't be set, because the fields around them don't have weights), people could always modify it themselves?
Otherwise you're into the tricky realm of battling with core field weights in a contrib patch...
Comment #30
Prashant.cAny updates on this still in RTBC ?
Comment #31
Rob230 CreditAttribution: Rob230 commentedIt's a great idea, hope to see it committed soon.
Comment #32
ThomWilhelm CreditAttribution: ThomWilhelm commentedJust came across this module, it's exactly what I need! However I'm concerned there aren't going to be any more releases. Have seen a few important bugs fixed in the past year that are now RTBC, however there hasn't been a release or an update to the 8.x development branch in almost 2 years now.
Comment #33
MrPaulDriver CreditAttribution: MrPaulDriver commentedAny news on getting this committed yet?
Comment #34
heddnThis has been RTBC for some time. Is there any blocker on committing and release a non-alpha of this module?
Comment #35
Alan D. CreditAttribution: Alan D. commentedSub'n the old way to bump it up the issue list ;)
Comment #37
JeroenTCommitted and pushed to 8.x-1.x. Thanks!
Comment #38
MrPaulDriver CreditAttribution: MrPaulDriver commentedThank you
Comment #39
JeroenTComment #40
JeroenT