"Administer Users" permission should be separate from "Administer Account Settings"

Created on 30 January 2009, almost 16 years ago
Updated 28 August 2023, over 1 year ago

Problem/Motivation

It is not possible to give a user access to administer users without also giving access to all settings and configuration for user accounts. This is because the "Administer Users" permission is too broad, it allows for both the administration of user accounts as well as the user settings.

Proposed resolution

A change was committed to Drupal 8.x that split the permission into two:

  • Administer Users - allowing you to create/edit/delete users
  • Administer Account Settings - manage the user settings, emails, fields.

In #196 @eiriksm supplied a patch for Drupal 7.x that takes a slightly different (backwards-compatible) approach:

  • Adds a new user_enable_separate_account_settings user module setting which allows the additional permission to be optionally enabled (opt-in).
  • When this setting is enabled, the administer account settings permission is added and used to control access to admin/config/people/accounts and user entity bundles administration.

Remaining tasks

Review of the latest patches using the approach proposed in #196.

If the approach proposed in #196 is not acceptable and the same approach that was taken for Drupal 8.x needs to be used for Drupal 7.x then more work needs to be done:

Steps to reproduce:

  1. Install the latest Drupal 8.x using the standard profile.
  2. Apply patch.
  3. Go to admin/people/roles and add new role "Person manager".
  4. Go to admin/people and add new user with role Person manager. Also create one user for test.
  5. Go to admin/people and add new user with role Person manager.
  6. Go to admin/people/permissions and give that role the permission to Administer users (but not Administer user settings).
  7. Switch to that user and edit a test user account. See that he has access to /admin/people and to edit users.
  8. Go to admin/config/people/accounts see that this user has access denied.
  9. Give that user additional Administer user settings permission
  10. Login with the user again and note differences (now should be possible to access to admin/config/people/accounts and to /admin/people)
  11. Try to make the account settings change back, ensure that access changes accordingly

Pages that the permission will effect:

  • admin/people/permissions
  • admin/config/people
  • admin/people
  • admin/config/people/accounts
  • do we need more pages?

User interface changes

There are no user interface changes proposed by this issue.

API changes

Administer Users permission will no longer allow assess to the manage people section under configuration. You will also need the "Administer User Settings" permission

Original report by [ceardach]

If you grant a user the "Administer Users" permission, that user can also edit the "User Settings" page. This grants more permissions than I think would be intended for anyone to administer users.

The "Administer Users" permission allows the user to create, delete and block users and change their email and password. to the that, it allows all configuration options available on the "User Settings" page, which is configuring the emails sent to users, and enable/disable registration, signatures and user pictures. The two capabilities should be separated.

I do not remember encountering this in Drupal 5. Access to the "User Settings" page may have been tied in to "Administer Site Configuration."

There should be an option to disable the password strength check in the settings for user registration. Right now it can only be disabled by a custom module with a hack messing with the javascript function that checks the password.

Note: You can accomplish most of what's here in 7.x with the User settings access module.

πŸ“Œ Task
Status

Needs work

Version

7.0 ⚰️

Component
User moduleΒ  β†’

Last updated about 23 hours ago

Created by

πŸ‡ΊπŸ‡ΈUnited States ceardach

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024