Contrib.social

Access denied for users with "administer users" permission

Open on Drupal.org β†’
Created on 2 April 2025, 2 months ago

The problem:
The code of the access handler is the following:

    // No need for this access when the current user has the 'administer users'
    // permission. Roles can be edited on the user edit page.
    if ($account->hasPermission('administer users')) {
      return AccessResult::neutral()->cachePerPermissions();
    }

It's not very consistent when superadmin or any other user can't reach that page. It does make much sense to have access for /user/[uid]/roles page. E.g. user form could be large, roles fields could be hidden etc.

I don't see any problem in allowing users with permission "administer users" to visit /user/{user}/roles pages.

The solution:

Change the code to the following:

    // When the current user has the 'administer users' permission
    // the access must be granted here without further checking.
    if ($account->hasPermission('administer users')) {
      return AccessResult::allowed()->cachePerPermissions();
    }
πŸ› Bug report
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ΊπŸ‡¦Ukraine nnevill Lutsk

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024