Per role setting should override control access setting

Posted by chirale on December 12, 2008 at 9:29am

Issue Summary

"Authenticated user" role can be a large set including many roles. They are treated as peers, but in fact a "MyRole" role is a subset of "Authenticated user".

Now User Protect check the larger set ("Authenticated user") before "MyRole" settings. In this way, if an Authenticated user is allowed to change e.g. his/her password, but "MyRole" haven't that access, a MyRole + Authenticated user can change his/her password.

This patch made against 5.x-1.3 version switch the two controls on function userprotect_get_user_protection to make subset settings effective.

Attachment	Size
userprotect_role_override_accesscontrol.patch	1.51 KB

Comments

#1

Posted by hunmonk on December 12, 2008 at 1:17pm

Status:

needs review

» closed (works as designed)

i'm not seeing how this patch changes anything -- the role testing code looks exactly the same to me.
the per user tests should come before the role tests, as they should take precedence
as for all other roles inheriting the permissions of the auth user role, this is the way core works, and the module should respect that for consistency

Project:	User protect
Version:	5.x-1.3
Component:	Code
Category:	bug report
Priority:	normal
Assigned:	Unassigned
Status:	closed (works as designed)

Per role setting should override control access setting

Jump to:

Issue Summary

Comments

#1