- Issue created by @Liam Morland
- Status changed to Needs review
about 2 years ago 6:07pm 13 September 2023 - last update
about 2 years ago 11 pass - last update
about 2 years ago 11 pass - Status changed to Postponed: needs info
5 months ago 12:59pm 27 May 2025 - 🇧🇪Belgium dieterholvoet Brussels
If a user has permission administer users but not administer permissions, they cannot edit user roles on user/UID.
Seems like they can. The core AccountForm does contain the following code:
$form['account']['roles'] = [ '#type' => 'checkboxes', '#title' => $this->t('Roles'), '#default_value' => (!$register ? $account->getRoles() : []), '#options' => $roles, '#access' => $roles && $user->hasPermission('administer permissions'), ];but this module adds its own
role_changefield to the user form and the core access check doesn't affect that. Or am I missing something here? - 🇨🇦Canada Liam Morland Ontario, CA 🇨🇦
What if a user only has
administer users? They cannot edit roles onuser/UIDand they do not have access touser/UID/roles. - Merge request !25[#3387126] fix: Require permission `administer permissions` in RoleDelegationAccessCheck → (Open) created by Liam Morland