Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By RobKoberg on
Hi,
Me: Doctor, it hurts when I move my arm like this.
You: Don't do that.
Anyway...
I want to allow OG group managers and group admins the rights to add users to the drupal system and set site-wide roles, so I give them Administer Users and Administer permissions. But, I want to block them from accessing anything at /admin or below. They should only be able to create and edit (their group...) users.
I have looked at the modules subuser (doesn't work and) and userprotect/roleassign (extremely complicated for a seemingly simple task?) Anyway, netiher of those are integrated with the OG system and don't meet my needs.
The easiest thing I can think of that works is:
function mytheme_preprocess_page(&$vars, $hook) {
// handle ?q=admin/people or /admin/people
if (arg(0) === 'admin') {
header('HTTP/1.1 403 Forbidden');
print "<h1>You do not have access to this page. Use your browser's back button to return</h1>";
die();
}
...
I also tried in a hook_form_alter to see if that would get me something. For some reason I need the die() or the form is returned anyway?? (like the request starts over)
Is there some drupal way to do this? (I assume not, since subusers and userprotect/roleassign exist.) That is, wrap it in a minimal drupal themed page but return 403 to the user if arg(0) === 'admin' and user is not a site administrator? (I suppose I could say they get what they deserve by attempting to access something they shouldn't, but it might be an honest mistake sometimes.)
The closest, but least optimal way (probably missing some thing or will in the future) I have been able to handle this with is in my hook_form_alter and test all the forms and deny access to the well known admin forms, e.g.
function myhook_form_alter(&$form, &$form_state, $form_id) {
global $user;
if (in_array('administrator', $user->roles)) {
// skip access checking for admin...
} else if (strpos($form_id, 'user_admin_') === 0
|| strpos($form_id, 'field_ui_') === 0
//|| (strpos($form_id, 'og_') === 0 )
|| strpos($form_id, 'devel_') === 0) {
drupal_add_js("jQuery(document).ready(function () { jQuery('div.tabs, div.content').remove() });", 'inline');
drupal_access_denied();
die();
}
}
Any ideas? Am I crazy for trying to do this?
Comments
I'd use hook_menu_alter(),
I'd use hook_menu_alter(), and add (or change) the 'access callback' property of the menu item for the /admin path to a custom callback of your own. You can check whatever you want within your custom callback, and return TRUE or FALSE to give permission.
I did not try that because I
I did not try that because I thought it would require doing the check on all paths at and under admin. Is that not the case? Will give it a try, though. Thanks. -Rob