Contrib.social

Restrict access to cancel/remove accounts with non-assignable roles

Open on Drupal.org β†’
Created on 23 July 2022, almost 2 years ago
Updated 21 July 2023, 12 months ago

Problem/Motivation

Currently users with the administer users permission and permissions to assign only specific roles are able to remove/cancel users that have roles not-assignable by them, which is not ideal.

Steps to reproduce

  1. Create one or more non-administrator roles
  2. Add one or more users with only non-administrator roles assigned
  3. Add a role with permission to assign the non-administrator roles and the administer users permission
  4. Add a non-administrator user with the role with role assignment and administer users permissions
  5. Add at least 2 users with the administrator role
  6. Login with the non-administrator user with role assignment and administer users permissions
  7. Notice that this user has access to cancel all user accounts except user #1, even though other users with the administrator role not assignable by the role delegation user exist.

Proposed resolution

Require role-assign permissions for all of the roles assigned to a user to be able to access the delete operation (cancel/remove) for user entities.

Remaining tasks

User interface changes

API changes

Data model changes

✨ Feature request
Status

Needs review

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States joegraduate Arizona, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024