By divrom on
I'm not sure if this is a recent problem, or simply one that I've only just noticed, but on one of my sites Authenticated users can go to admin/access and change the permissions they have.
That can't be right?!
Is there something that I'm not doing to make that impossible?
Comments
administer access control
don't give them the "administer access control" permission (user module)
Under user module all I have
Under user module all I have is:
access user profiles
administer users
(I just see that I made a mistake when I posted this query. I'm actually still using 4.6 for this site.)
Ah, in 4.6, the "administer
Ah, in 4.6, the "administer access control" permission doesn't exist. In 4.6, both the editing of user accounts, as well as access to the access control page are controlled by the "administer users" permission (so "administer users" also allows users to change permissions).
Drat!
So, basically, if I want someone to be able to edit user accounts (including other peoples access permissions), I have to also let them be able to edit their own access permissions?
Is there no other way around this?
I've noticed that even on
I've noticed that even on content types that have "Permission to change permissions" restricted to admin, the authenticated user can still change them.
The only thing they can't do is change view/edit permissions. But they can change the published status of a node.
[EDIT: Okay, ignore this last bit. I had administer nodes set for all users! However, the initial problem remains.]
not without hacking
There is no way around this without hacking user.module. And by the way, the "administer access control" permission in 4.7 also is all-or-nothing: roles with that permission can edit all access permissions, including their own.