Hello,

first of all.. thank you for this module!

When I disallow a user to "edit or delete" a account based on the role I think it should be also impossible to block or unblock a user withe this role. For example:
When a user have a role "community manger" and has not the rights to edit or delete any user with this role "community manager" the user should also be unable to block or unblock this user with the role "community manager"

Is this a possible feature for this module?

Best regards
Frank

Files: 
CommentFileSizeAuthor
#11 aur.png2.89 KBHaloFX

Comments

Title:Block-unplock user.Block-unblock user.
Category:feature» bug

Agreed.

I think this is a bug in the security model, not a need for a new feature.

Regards, Tony

I think the problem is with hook_user_update() (on line 160 of the latest beta). According to the Drupal API, this is called after a user account "was updated." http://api.drupal.org/api/drupal/modules%21user%21user.api.php/function/...

Shouldn't that be an implementation of hook_user_presave() instead? I think hook_user_update() is just too late -- the block/unblock has already taken place. Changing to hook_user_presave() seems to work for me (though, it does lead to an awkward situation where the core user drupal_get_message() says the account has been updated, even though the message from administerusersbyrole contradicts that).

Priority:Normal» Critical

Hello balleyne,

Changing to hook_user_presave() seems to work for me

how exactly have you done this? I am not a developer an need more infos.

I this also this is a security issue and will change the priority.

Best regards
Frank

  • Navigate to the module folder sites/all/modules/administerusersbyrole
  • Open administerusersbyrole.module
  • Change line 160ish
    <?php
    function administerusersbyrole_user_update(&$edit, $account, $category) {
    ?>
    to
    <?php
    function administerusersbyrole_user_presave(&$edit, $account, $category) {
    ?>

#2 worked for me. Thanks balleyne

Hello dmegatool,

thanks a lot for your post!

Do you think there is also a way to do this with the dev version? I did not find this line there.

Best regards
Frank

...no idea in that? :-(

The change on #4 corrected the functionality issue, although the alerts still conflict. It shows "The update has been performed" and "You do not have permissions to block [user]".

Great module BTW! This finer grained functionality really should be in core.

Hello HaloFX,

sorry, my english is a little bit poor.... does this mean that #4 works for you? I did not find this lines.. :-(

Best regards
Frank

Thanks dmegatool it works fine :)

Hello yuvaraju.an,

what version of this module did you use?

Best regards
Frank

StatusFileSize
new2.89 KB

Is it did work. The alerts are just messed up. See attachment.

I am using Beta1

Issue summary:View changes

Hello,

is this bug solved in the actual dev version ?

best regards
Frank

...ok I see this line is gone in the dev version. Do somone know where to fix it in the dev version ?

Version:7.x-1.x-dev» 7.x-1.0-beta1

...Can someone attach a working patched beta1 version ... For me this patch did not work ... For example a user can deactivate his own account.... :-(

Best regards
Frank