A role with only 'access advuser' permission can delete/Block an User even if the Permissions of the user Module do not allow him to administer users.
This happens only for the "update options" . The delete Action is ok (no delete allowed for this role)

Drupal Version 6.14

CommentFileSizeAuthor
#6 advuser-6.x-2.x.diff1.2 KBAnonymous (not verified)
#5 advuser-6.x-3.0.diff1.16 KBAnonymous (not verified)
#4 advuser-6.x-3.0.diff1.16 KBAnonymous (not verified)
#2 advuser-614676.patch854 bytesnkmani

Comments

Anonymous’s picture

Priority: Normal » Critical
nkmani’s picture

Status: Active » Needs review
StatusFileSize
new854 bytes

Added a patch to fix the issue. With the patch, it now requires that the user have "administer users" permission on top of "access advuser" permission to view and edits.

The simpler fix could be to look for "administer users" to allow access for the advuser menu. But, this additional permission, I guess, allows for finer control over who gets to do advuser actions!

Anonymous’s picture

Status: Needs review » Reviewed & tested by the community

I haven't tested it but this looks reasonable to me and may be committed to CVS.

Anonymous’s picture

Version: 6.x-2.3 » 6.x-3.x-dev
StatusFileSize
new1.16 KB
Anonymous’s picture

StatusFileSize
new1.16 KB

Here is the patch I've settled on for this.

Anonymous’s picture

Version: 6.x-3.x-dev » 6.x-2.x-dev
StatusFileSize
new1.2 KB

Backporting to 2.x branch.

Anonymous’s picture

Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.