Is it possible to make site-wide roles optional in groups, like an option in the configuration. We would also have a complimentary permission called "apply site-wide roles" (or something like that) so that when I do disable the site-wide roles in the group, then some users (like an admin) can bypass that and have all the site-wide roles apply to groups too.

I think with an option like this, this would enable more fine tuning of access permissions and add that much more control to the admin.

Comments

somebodysysop’s picture

somebodysysop commented
Assigned: Unassigned » somebodysysop

I've thought about this, but don't see why anyone would want to do it. I keep going over it in my head, but to me, if you don't want users to have sitewide roles, then don't assign them -- period.

I'm uneasy about the idea of having OGR *remove* roles assigned by the core modules. I've always made the argument that OGR only adds permissions, not take them way.

The head Drupal guru has already said he doesn't support the idea of assigning roles on the fly. Consequently, I've found it difficult finding support for my core module modification suggestions. I doubt that he'd like your idea at all.

So, unless you have a compelling reason that I've overlooked, I don't see a good reason to implement this feature.

Crimson’s picture

Crimson commented

My site has both functionalities, group functions and site functions. Sometimes, the same functions exist in the site and in the group and when that happens, permissions intersect and overlap and it gets really messy as to who has what kind of access and permission. What's bad is that the groups have a little too much access in the groups section because some of the functions from the site are given to them too but I need them to have those functions when they are in the "normal" part of the site.

If this gets implemented, people would have a tighter control of groups and its permissions but if it's such a big issue, I don't want to trouble you. I just think it would add a lot more functionality to OG User Roles and let people have a more finer regulation of permissions.

I am not a Drupal developer, but how bad can it be? Assigning roles on the fly, isn't that how OG User Roles works? Isn't it possible to remove roles on the fly too?

somebodysysop’s picture

somebodysysop commented

I am not a Drupal developer, but how bad can it be? Assigning roles on the fly, isn't that how OG User Roles works? Isn't it possible to remove roles on the fly too?

Yes, that's how OG User Roles works. To the chagrin of Gerhard (see: http://drupal.org/node/170524).

It's not so much a question of how hard it is, but rather whether it should be done at all.

I'll post this on the developers list and see what they say.

Do the site-wide roles whose permissions you want to remove include "anonymous" and "authenticated"? If so, I know they'll love that.

If not, why then give a user a site-wide role if you don't want him to have those permissions? Seems to me if you simply remove all permssions from "authenticated" and "anonymous" users, and don't give any users any other roles, you'll have what you seek.

I mean, I see what you're saying: If a user has a role that gives him the "create page" permission sitewide, and he belongs to Group A, you may not want him to have the ability to create pages in that group. I get that. But, it seems to me that you create a mess in the process. How does this same user get out of group context to create a site-wide page?

Suppose there is content that a user's site-wide role gives him access to, but his group role(s) don't? How does he get to that content while in the group context?

Looks like a whole lot of potential headaches which could be simply resolved by not giving permissions to users except via group contexts.

Crimson’s picture

Crimson commented

I think we should leave "anonmyous" alone. And about the "authenticated" role, I don't use that because I don't have the control to remove people from that role so the role I use to replace that is "member". But anyways, it should be an inclusive list of roles (like group roles) that are kept and everything else should just be rejected (anonymous should be left alone and should not be rejected). I would also suggest a site-wide permission called "apply site-wide permissions" so that some roles can bypass this restriction.

How does this same user get out of group context to create a site-wide page? Suppose there is content that a user's site-wide role gives him access to, but his group role(s) don't? How does he get to that content while in the group context?
A different menu. I have a group menu and a site menu.

And I can say that my site is a little complex with many different types of contents the site-wide role and group roles can create. I just hope with this feature, I'll be able to control it better.

somebodysysop’s picture

somebodysysop commented
Status: Active » Closed (won't fix)

It's tough enough trying to get support from the Drupal core team for OGR issues as it is. Something like this would really give them fainting spells. I would have to say that monkeying with the primary Drupal roles is outside the scope of OG User Roles. Sorry, but I just don't see how to make that work in a secure fashion.