Posted by Morn on October 26, 2009 at 11:21am
| Project: | Advanced User |
| Version: | 6.x-2.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
A role with only 'access advuser' permission can delete/Block an User even if the Permissions of the user Module do not allow him to administer users.
This happens only for the "update options" . The delete Action is ok (no delete allowed for this role)
Drupal Version 6.14
Comments
#1
#2
Added a patch to fix the issue. With the patch, it now requires that the user have "administer users" permission on top of "access advuser" permission to view and edits.
The simpler fix could be to look for "administer users" to allow access for the advuser menu. But, this additional permission, I guess, allows for finer control over who gets to do advuser actions!
#3
I haven't tested it but this looks reasonable to me and may be committed to CVS.
#4
#5
Here is the patch I've settled on for this.
#6
Backporting to 2.x branch.
#7
#8
Automatically closed -- issue fixed for 2 weeks with no activity.