By jasont28 on

I am trying to give site owners a way to add other roles for their site but without being able to give themselves the admin role. They need to have the "administer permissions" permission because it is up to them whether certain roles can access different content etc.

I am using permissions lock to prevent the site owner from changing any permissions I don't want them to change. I am also using user protect to stop them from deleting or editing the Admin role.

I have tried using role assign however I couldn't figure out how to prevent the site owner from assigning themselves the Admin role. With "administer users", "assign roles" and "administer permissions" it seems as though the site owner can give themselves whatever role they like. It also meant that they could see the Role Assign section under User Management and adjust it as they like.

I also tried role delegation but the same issue arises. No matter what settings I used, the site owner could always assign themselves as an admin which was a problem.

Can anyone please let me know if I am missing something very basic? It is it just me or is it strange that the "administer permissions" permission doesn't distinguish between setting permissions and assigning roles at all?

Jason

Categories: Drupal 6.x

Comments

WorldFallz’s picture

WorldFallz commented

i haven't used it for a while, but http://drupal.org/project/roleassign should allow you to select which roles are assignable-- just don't allow the admin role to be assignable.

jasont28’s picture

jasont28 commented

Thanks for the suggestion WorldFallz. I tried using roleassign however if "administer permissions" was checked for the user, the restrictions created by roleassign were redundant. The user could assign any role to any user.

I think the problem was that I had been creating a role for the system administrator and then a role for the site owner to do the day to day managing of users and content. I have now removed the role for the system administrator and left them simply as User1. It isn't the best setup if multiple system administrators are needed but it will have to do.

The site owner needs the "administer permissions" permission to adjust permissions for newly created roles and existing roles. However anyone who is assigned that permission has the ability to assign themselves any role they desire which is a security concern. Well, maybe more of a "I didn't realize if I played with that I would destroy my site" concern. :p

Jason