Nice module. Will likely be using it for new project. Doing some initial testing, found a couple perm related issues:

1. user which has create subuser perm is shown the Switch link and is able to switch to the subuser even though switch subuser perm is not enabled [screenshot of perm config]

2. (cosmetic) user which has create subuser perm is shown the Edit link which leads to access denied if administer subusers perm is not enabled [screenshot of user page]

3. (cosmetic, possible security issue) user which has administer subuser perm is shown the entire list of user permissions and modules which implement user perm hook; user which has administer subuser perm is shown entire list of user roles beyond those which they can create [screenshot of admin page]

IMO the user permission filter should/could be removed. The user roles filter should be restricted to only roles they have ability to create.

CommentFileSizeAuthor
#1 726914-1-eojthebrave-subuser_permissions.patch6.65 KBeojthebrave

Comments

eojthebrave’s picture

eojthebrave
he/him
Primary language English
Location Minneapolis, MN
commented
Version: 6.x-1.2 »
StatusFileSize
new 726914-1-eojthebrave-subuser_permissions.patch6.65 KB

This patch should fix the above issues #1 and #2. In order to get the view to respect the subuser module's permissions I had to implement two new views fields. One for the subuser edit link and one for the subuser switch link.

I then updated the existing view to use these new fields and re-exported it.

I also had to make a couple of minor changes to the subuser_switch_user_access() function so that it now makes use of the 'subuser switch' permission.

robin van emden’s picture

robin van emden commented
Status: Active » Reviewed & tested by the community

Tested on our development server, did not encounter any show-stoppers.

fonant’s picture

fonant commented

This patch works well here, fixing the problem where the permissions didn't affect the links displayed or the ability to switch to a subuser.

jeffreyvddb’s picture

jeffreyvddb commented

The patch works like a charm, but still I've got a question. When you have the 'administer subusers' perm, you can edit the basic information of a subuser. Could it be possible to add a feature that you can block and/or delete a subuser? This way, the parent can manage 'their' subusers.

blakehall’s picture

blakehall commented

Added to 6.x-1.x with commit: http://drupal.org/commitlog/commit/7940/74dd3e30ae15ed72ccd2c9ddfbca5867...

Thanks eojthebrave!

blakehall’s picture

blakehall commented
Status: Reviewed & tested by the community » Fixed

Doh! Actually marking fixed now...

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.