diff --git a/administerusersbyrole.info b/administerusersbyrole.info index fb567af..adf36e8 100644 --- a/administerusersbyrole.info +++ b/administerusersbyrole.info @@ -1,4 +1,6 @@ +; $Id$ name = Administer Users by Role description = "Allows users with 'administer users' permission and a role (specified in 'Permissions') to edit/delete other users with a specified role. Also provides control over user creation." -core = 6.x -package = Permissions +core = 7.x +files[] = administerusersbyrole.module + diff --git a/administerusersbyrole.module b/administerusersbyrole.module index dc15121..2f6da1e 100644 --- a/administerusersbyrole.module +++ b/administerusersbyrole.module @@ -2,170 +2,97 @@ /** * @file - * Provides fine-grained permissions for creating, editing, and deleting users. - * - * This module allows site builders to set up fine-grained permissions for - * allowing users to edit and delete other users Ñ more specific than - * Drupal Core's all-or-nothing 'administer users' permission. It also - * provides and enforces a 'create users' permission. + * Allows users with 'administer users' permission and a role (specified in 'Permissions') to edit/delete other users with a specified role. If the user being edited has multiple roles, the user doing the editing must have permission to edit ALL of the user being edited's roles. Also provides control over user creation. Works well in conjunction with role_delegation. */ /** - * Implements hook_perm(). - */ -function administerusersbyrole_perm() { - $roles = db_query('SELECT name FROM {role} WHERE rid > 2 ORDER BY name'); + * Implements hook_permission(). + */ +function administerusersbyrole_permission() { + $roles = db_query('SELECT name, rid FROM {role} WHERE rid > 1 ORDER BY name')->fetchAll(); $perms = array(); - $perms[] = 'create users'; - $perms[] = 'edit users with no custom roles'; - $perms[] = 'delete users with no custom roles'; - while ($role=db_fetch_array($roles)) { - $perms[] = _administerusersbyrole_build_perm_string($role['name'], 'edit', FALSE); - $perms[] = _administerusersbyrole_build_perm_string($role['name'], 'edit', TRUE); - $perms[] = _administerusersbyrole_build_perm_string($role['name'], 'delete', FALSE); - $perms[] = _administerusersbyrole_build_perm_string($role['name'], 'delete', TRUE); + $perms['create users'] = array('title' => 'Create new users'); + foreach ($roles as &$role) { + $perms['edit users with role '. $role->rid] = array('title' => 'Edit users that have the role '. $role->name); + $perms['delete users with role '. $role->rid] = array('title' => 'Delete users that have the role '. $role->name); } return $perms; } /** - * Implements hook_init(). + * Implements hook_menu_alter(). */ -function administerusersbyrole_init() { - $items = array(); - if (arg(0)==='admin' && arg(1)==='user' && arg(2)==='user' && arg(3)==='create') { - if (!user_access('create users')) { - drupal_set_message(t('You do not have permission to create users.'), 'error'); - drupal_goto(""); - } - } - elseif (arg(0)==='user') { - $uid = arg(1); - if (module_exists('me')) { - $uid = _me_check_arg($uid); - } - $account = user_load( array('uid' => $uid) ); - switch (arg(2)) { - case 'edit': - if (!_administerusersbyrole_can_edit_user($account)) { - drupal_set_message(t('You do not have permission to edit %user.', array('%user' => $account->name)), 'error'); - drupal_goto('user/'. $account->uid); - } - break; - - case 'delete': - if (!_administerusersbyrole_can_delete_user($account)) { - drupal_set_message(t('You do not have permission to delete %user.', array('%user' => $account->name)), 'error'); - drupal_goto('user/'. $account->uid); - } - break; - } - } - return $items; +function administerusersbyrole_menu_alter(&$items) { + $items['user/%user/edit']['access callback'] = '_administerusersbyrole_can_edit_user'; + $items['user/%user/cancel']['access callback'] = '_administerusersbyrole_can_delete_user'; + $items['admin/people/create']['access arguments'] = array('create users'); } +/** + * Custom access callback for edit user. + */ function _administerusersbyrole_can_edit_user($account) { global $user; - if ($account->uid == $user->uid) { + + if($account->uid == $user->uid) return TRUE; - } - // allow only uid1 to edit uid1 - if ($account->uid == 1) { + if($account->uid == 1) return FALSE; - } - - if ($account->roles === array(DRUPAL_AUTHENTICATED_RID => 'authenticated user')) { - if (!user_access('edit users with no custom roles')) { - return FALSE; - } - } + elseif(user_access('edit users with role '.DRUPAL_AUTHENTICATED_RID)) + return TRUE; - $allow = TRUE; foreach ($account->roles as $rid => $role) { - if ($rid === DRUPAL_AUTHENTICATED_RID) { + if($rid == DRUPAL_AUTHENTICATED_RID) continue; - } - if (user_access(_administerusersbyrole_build_perm_string($role, 'edit', TRUE))) { - return TRUE; - } - if (!user_access(_administerusersbyrole_build_perm_string($role, 'edit', FALSE))) { - $allow = FALSE; - } + if(!user_access('edit users with role '. $rid)) + return FALSE; } - return $allow; + + return TRUE; } +/** + * Custom access callback for delete user. + */ function _administerusersbyrole_can_delete_user($account) { + if ($account->uid == 1) { return FALSE; } - if ($account->roles === array(DRUPAL_AUTHENTICATED_RID => 'authenticated user')) { - if (!user_access('delete users with no custom roles')) { - return FALSE; - } - } - - $allow = TRUE; + $permitted = TRUE; foreach ($account->roles as $rid => $role) { - if ($rid === DRUPAL_AUTHENTICATED_RID) { - continue; - } - if (user_access(_administerusersbyrole_build_perm_string($role, 'delete', TRUE))) { - return TRUE; - } - if (!user_access(_administerusersbyrole_build_perm_string($role, 'delete', FALSE))) { - $allow = FALSE; + $permitted = user_access('delete users with role '. $rid); + if (!$permitted) { + return FALSE; } } - return $allow; + return TRUE; } /** - * Implements hook_form_FORM_ID_alter(). + * Implements hook_form_user_admin_account_alter(). */ -function administerusersbyrole_form_user_multiple_delete_confirm_alter(&$form, &$form_state) { - $anyallowed = FALSE; - foreach (array_filter($form_state['post']['accounts']) as $uid => $value) { - $account = user_load($uid); - if (_administerusersbyrole_can_delete_user($account)) { - $anyallowed = TRUE; - } - else { - drupal_set_message(t('You do not have permission to delete %user.', array('%user' => $account->name)), 'error'); - unset($form_state['post']['accounts'][$uid]); - unset($form['accounts'][$uid]); - } - } - if (!$anyallowed) { - drupal_goto( drupal_substr($form['#action'], 1) ); - } -} +function administerusersbyrole_form_user_admin_account_alter(&$form, &$form_state, $form_id) { -/** - * Implements hook_user(). - */ -function administerusersbyrole_user($op, &$edit, &$account, $category = NULL) { - if ($op === 'update' && $category === 'account') { + // Remove edit links if i don't have access to them. + foreach ($form['accounts']['#options'] as $uid => $fields) { + $account = user_load($uid); if (!_administerusersbyrole_can_edit_user($account)) { - if (isset($edit['status'])) { - $action = $edit['status'] ? t('unblock') : t('block'); - drupal_set_message(t('You do not have permission to @action %user.', array('@action' => $action, '%user' => $account->name)), 'error'); - unset($edit['status']); - } + $form['accounts']['#options'][$uid]['operations'] = ''; } } } /** - * Generates a permission string for a given a role name. + * Implements hook_form_user_profile_form_alter(). */ -function _administerusersbyrole_build_perm_string($role_name, $op = 'edit', $other = FALSE) { - $perm = "$op users with role "; - $perm .= preg_replace('/[^a-zA-Z0-9]/', '', $role_name); - if ($other) { - $perm .= ' and other roles'; +function administerusersbyrole_form_user_profile_form_alter(&$form, &$form_state, $form_id) { + + // Hide delete link if i don't have access. + $account = $form['#user']; + if (!_administerusersbyrole_can_delete_user($account)) { + $form['actions']['cancel']['#access'] = FALSE; } - return $perm; }