Restrict access to cancel/remove accounts with non-assignable roles

Open on Drupal.org →

Created on 23 July 2022, over 2 years ago

Updated 20 July 2023, over 1 year ago

Problem/Motivation

Currently users with the administer users permission and permissions to assign only specific roles are able to remove/cancel users that have roles not-assignable by them, which is not ideal.

Steps to reproduce

Create one or more non-administrator roles
Add one or more users with only non-administrator roles assigned
Add a role with permission to assign the non-administrator roles and the administer users permission
Add a non-administrator user with the role with role assignment and administer users permissions
Add at least 2 users with the administrator role
Login with the non-administrator user with role assignment and administer users permissions
Notice that this user has access to cancel all user accounts except user #1, even though other users with the administrator role not assignable by the role delegation user exist.

Proposed resolution

Require role-assign permissions for all of the roles assigned to a user to be able to access the delete operation (cancel/remove) for user entities.

Remaining tasks

User interface changes

API changes

Data model changes

✨ Feature request

Status

Needs review

Version

1.0

Component

Code

Created by

🇺🇸United States joegraduate Arizona, USA

Live updates comments and jobs are added and updated live.

Incomplete comments

Sign in to follow issues

Merge Requests

!8Restrict access to cancel/remove accounts with non-assignable roles
Open
🇺🇸United States joegraduate
updated 6 months ago

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Merge request !8Issue #3299201: Restrict access to cancel/remove accounts with non-assignable roles → (Open) created by joegraduate
Comment over 1 year ago →
🇩🇪Germany Anybody Porta Westfalica
@joegraduate great idea, that would be suuuper helpful. But I think it should be a configuration option?
Comment over 1 year ago →
🇩🇪Germany Anybody Porta Westfalica
Also see ✨ Role tab is being hidden if user does not have administer user perm Needs review and the linked issues there! I think they are all on this topic and it would be super cool, if anyone could push things forward into that direction. Sadly I'm too busy currently, otherwise I'd do so.
Open in Jenkins → Open on Drupal.org →
Core: 9.5.5 + Environment: PHP 7.3 & MySQL 5.7
last update over 1 year ago
11 pass
Comment over 1 year ago →
🇺🇸United States joegraduate Arizona, USA
Rebased MR against latest 8.x-1.x branch.
First commit to issue fork.
Pipeline finished with Failed
6 months ago
Total: 160s
#312847

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024