"Authenticated user" role can be a large set including many roles. They are treated as peers, but in fact a "MyRole" role is a subset of "Authenticated user".

Now User Protect check the larger set ("Authenticated user") before "MyRole" settings. In this way, if an Authenticated user is allowed to change e.g. his/her password, but "MyRole" haven't that access, a MyRole + Authenticated user can change his/her password.

This patch made against 5.x-1.3 version switch the two controls on function userprotect_get_user_protection to make subset settings effective.

CommentFileSizeAuthor
userprotect_role_override_accesscontrol.patch1.51 KBchirale

Comments

hunmonk’s picture

hunmonk commented
Status: Needs review » Closed (works as designed)
  • i'm not seeing how this patch changes anything -- the role testing code looks exactly the same to me.
  • the per user tests should come before the role tests, as they should take precedence
  • as for all other roles inheriting the permissions of the auth user role, this is the way core works, and the module should respect that for consistency