A separate permission to access Key authentication in user profile

I found this issue for a bit different reason. On my website there are users with administer users permission. Yet I don't want them to manage the auth keys.

Basically I need the following:

-      $access = AccessResult::allowedIfHasPermission($current_user, 'administer users');
+      $access = AccessResult::allowedIfHasPermissions($current_user, 'manage any auth keys']);

If this sounds like a good idea, we could add an update hook that adds the new manage any auth keys permission to all users having administer users.

Either is fine for me, but I would like a permission like this added.

We should target the latest branch.

Created 2.1.x branch updated the same in MR, Thank You!!

Thanks for the patch, this is a very useful feature indeed!

However, I'm wondering whether it is a good idea to let any user with the "administer users" permission view the key authentication tab? Sure, they cannot edit the authentication key without the appropriate permission, but they can still see and potentially disclose or abuse this information.

In my opinion, it would be better to remove the "administer users" permission from the access check in UserKeyAuthForm, so that access is only granted if the user has the appropriate permissions from the key_auth module. If a role who manages users needs to view the key authentication tab, they can simply be assigned an additional role.

I added branch "3261708-a-separate-permission-" (please rename it to "3261708-a-separate-permission-without-administer-users") same to "3261708-a-separate-permission". MR18.

What's holding this back from being merged in? If there's something more to be done I'd love to help push this through.

The issue is marked Needs Review. Please test and review the changes in MR !18.

You can download the code changes as a patch/diff, and include the downloaded file in your Composer patches file.

Merged in 2.x branch!!

Automatically closed - issue fixed for 2 weeks with no activity.