Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.the default permissions setup on all the roles are a good start, but don't match d.o closely enough. for example, no one has permissions to create or edit book pages or forum posts. none of the project* permissions are configured. the "content admin" role has way more permissions than the roles on d.o (except for site admin).
for consistency and proper testing, we probably want to setup the identical list of roles (webchick and i both have access to the page, so either of us could do this), but we might want to get input from dries, killes, and/or other folks from the security team, just to make sure no one is uncomfortable setting up the permission grid in a publically viewable way like this.
| Comment | File | Size | Author |
|---|---|---|---|
| #8 | perms_3.patch | 9.38 KB | webchick |
| #7 | perms_2.patch | 11.62 KB | webchick |
| #5 | perms_1.patch | 12.95 KB | webchick |
| #3 | perms_0.patch | 12.53 KB | webchick |
| #1 | do_testing_roles.patch.txt | 5 KB | dww |
Comments
Comment #1
dwwhere's a start. cleans up the code to define some constants and be array-driven, instead of hard-coding things an trying to manipulate giant strings. i think this will be easier to maintain and modify in the future. plus, it at least defines all the d.o roles (if not the full permissions, yet). so, it's a good start... ;)
Comment #2
dwwre: auth and anonymous -- instead of trying to special case them (as my // TODO implies), it just occured to me that we should probably just truncate {permission} at the start, define arrays of perms for those 2 roles as well, and then treat them just like the other roles...
Comment #3
webchickThanks Derek! That was a great start! Here's a patch.
Note that there are permissions assigned to modules that aren't actually part of the profile (feature, image, image_galleries, simplenews).
I also swapped the key/values of the rid/names because it was bugging me that the RID came first on the perms array and not the names array. Yes I am that anal. ;P
Comment #4
webchickComment #5
webchickOops, I forgot to finish this thought. :P
"Note that there are permissions assigned to modules that aren't actually part of the profile (feature, image, image_gallery, simplenews)."
I wasn't sure whether to add those, or whether the goal of this profile was to be *just* for the project/cvs stuff. In case we want the whole shebang, here's a patch that adds those to the required modules list. I figured either way it wouldn't hurt to have record of the permissions on d.o, though.
Comment #6
webchickAfter speaking with dww in IRC, we decided not to add the extra modules to the profile, since they get enough testing done on their own (esp. image, image_gallery, and simplenews.. no idea what purpose 'feature' module serves). Therefore this patch is just a re-roll of #3 without these other modules' permissions.
Comment #7
webchick...
Comment #8
webchickdww pointed out that the permissions for site maintainer were all out of whack for some reason. Fixed that. Also fixed admin getting too many permissions and some other minor clean-up.
Note that these aren't quite a direct copy of the perms on d.o, because I did things like leaving off 'access content' on the site maintainer role when they're implicit to authenticated users anyway. Just for legibility/maintenance.
Comment #9
dwwcommitted (slightly modified version) to HEAD. yay. ;) thanks, webchick.
Comment #10
(not verified) commented