- Merge request !4[#3261708] Add more permissions for managing auth key access. → (Open) created by kiseleva.t
I found this issue for a bit different reason. On my website there are users with
administer userspermission. Yet I don't want them to manage the auth keys.Basically I need the following:
- $access = AccessResult::allowedIfHasPermission($current_user, 'administer users'); + $access = AccessResult::allowedIfHasPermissions($current_user, 'manage any auth keys']);If this sounds like a good idea, we could add an update hook that adds the new
manage any auth keyspermission to all users havingadminister users.Either is fine for me, but I would like a permission like this added.
- 🇮🇳India rajeshreeputra Pune
Created 2.1.x branch updated the same in MR, Thank You!!
- 🇦🇹Austria reinimax
Thanks for the patch, this is a very useful feature indeed!
However, I'm wondering whether it is a good idea to let any user with the "administer users" permission view the key authentication tab? Sure, they cannot edit the authentication key without the appropriate permission, but they can still see and potentially disclose or abuse this information.
In my opinion, it would be better to remove the "administer users" permission from the access check in UserKeyAuthForm, so that access is only granted if the user has the appropriate permissions from the key_auth module. If a role who manages users needs to view the key authentication tab, they can simply be assigned an additional role.
- First commit to issue fork.
- 🇷🇸Serbia super_romeo Belgrade
I added branch "3261708-a-separate-permission-" (please rename it to "3261708-a-separate-permission-without-administer-users") same to "3261708-a-separate-permission". MR18.