User can access admin/user/user page and delete/block everyone [#615668]

the users have to get "administer users" access and therefore they can access admin/user/user page and by this delete/block all users of all domains.

i think this is not the correct behavior.

i've altered the module as follows:

function domain_user_edit_perm() {
return array('edit domain users');
}

and then switched the "administer users" and "edit domain users" permissions.

by this the user with "edit domain users" permission cannot access any other page except the user edit page.

Comment	File	Size	Author
#3	domain_user_edit.patch	846 bytes	Johnny vd Laar
#2	domain_user_edit.patch	846 bytes	Johnny vd Laar

Comments

blackdog commented 27 October 2009 at 09:25

Can you make a patch of this? I don't really understand what you've changed.

Johnny vd Laar commented 27 October 2009 at 12:24

Status	File	Size
new	domain_user_edit.patch	846 bytes

Johnny vd Laar commented 27 October 2009 at 12:25

Status	File	Size
new	domain_user_edit.patch	846 bytes

attached is the patch

blackdog commented 3 November 2009 at 12:30

Ahh, now I understand what you've done. Looks good. I'll have to test and get back to you. Thanks!