Per role setting should override control access setting

chirale - December 12, 2008 - 09:29

Project:	User Protect
Version:	5.x-1.3
Component:	Code
Category:	bug report
Priority:	normal
Assigned:	Unassigned
Status:	by design

Jump to:

Most recent comment

"Authenticated user" role can be a large set including many roles. They are treated as peers, but in fact a "MyRole" role is a subset of "Authenticated user".

Now User Protect check the larger set ("Authenticated user") before "MyRole" settings. In this way, if an Authenticated user is allowed to change e.g. his/her password, but "MyRole" haven't that access, a MyRole + Authenticated user can change his/her password.

This patch made against 5.x-1.3 version switch the two controls on function userprotect_get_user_protection to make subset settings effective.

Attachment	Size
userprotect_role_override_accesscontrol.patch	1.51 KB

» Login or register to post comments

#1

hunmonk - December 12, 2008 - 13:17

Status:

needs review

» by design

i'm not seeing how this patch changes anything -- the role testing code looks exactly the same to me.
the per user tests should come before the role tests, as they should take precedence
as for all other roles inheriting the permissions of the auth user role, this is the way core works, and the module should respect that for consistency

Login or register to post comments

Drupal is a registered trademark of Dries Buytaert.