This is a good module and I am using it, but it does make me a bit nervous with regards to the amount of power I must give to a "Role Assigner." Meaning that, a Role Assigner now has access to modify a user's profile at will.

I would like to make two suggestions:

1) It would be great if this module limited the Role Assigner to just that (Just the ability to assign roles and no access to the rest of user profile.)

2) Another really powerful feature would be that (within the Role Assign Access Control options) give two additional Access Control options that would grant the Role Assigner the ability to (a) Approve Roles, (b) Disapprove Role assignments. (Here I envision something like the "Roles:" check box is grayed out if checked and the Role Assigner has been granted "Disapprove Role".

Note, I would have filed these separate but here's why I did not: (1) sounds more difficult than (2) and you could almost address (1) [or at least address the underling fear of the damage that could occur over the long term without (1)] with a modified implementation of (2). Here's the idea - for a Role Assigner only granted Approve Role Assign, deny access to users where any of the Role Assigner's defined role(s) [the roles they have been allowed to grant] are already assigned. Basically giving the assigner a 1 time shot at role granting.

I wish I could code up something for your review, but I am not coder - I'm more of an applications/visual type. But I can test and document.

In any case, good work so far - and thank you for all the efforts in the creation of this module.

Cozzi

Comments

svihel’s picture

svihel CreditAttribution: svihel commented

I really would like to use this, but since to use this I must give rule assigner permission to change even a administrator account its not an option for me :(

1) It would be great if this module limited the Role Assigner to just that (Just the ability to assign roles and no access to the rest of user profile.)

This certainly would be great!

aasarava’s picture

aasarava CreditAttribution: aasarava commented

Agreed -- RoleAssign is a very helpful module, but what's really needed is a more complete solution that doesn't require giving your "role admins" full "user admin" privileges.

After all, if a role admin can change passwords and delete users, then couldn't he or she could bypass the RoleAssign restrictions by just changing the password of the Admin (#1) user and logging in and having full site access?

cozzi’s picture

cozzi CreditAttribution: cozzi commented
Priority: Normal » Critical

Oh my! You are right. I just tested that. I would say that's a pretty big security risk for this module.

salvis’s picture

salvis
he/his
CreditAttribution: salvis commented
Status: Active » Closed (won't fix)

The D5 version is not supported anymore.

The problem raised in #2 has been taken up again in #599342: document security threat of permission 'administer users '.