Currently admin rights in OpenOutreach are essentially all or nothing. It'd be tremendously useful to have one or more additional roles to allow users to safely accomplish different administrative tasks, without being able to completely break the site by mistake. In particular, we'd need a role that allowed (among other things):

  1. enabling/disabling Features/Apps,
  2. choosing and configuring themes,
  3. selecting and configuring layouts,
  4. configuring Views,

Without allowing the likes of:

  1. enabling/disabling of arbitrary modules,
  2. access to other settings that could de-stabilize the site
  3. configuring role permissions
  4. access to other settings that could open security holes on the site

Comments

nedjo’s picture

nedjo
he/him/his
Primary language English
CreditAttribution: nedjo commented

Good idea. The steps would be:

  • Complete #2139657: Add a limited admin role, which I just opened.
  • Open a child issue on each relevant Debut feature. Add the new role to the apps_compatible.inc file for the feature and then assign relevant permissions to the role.

I'm happy to take on #2139657. Might you and others at Praxis be up for the Debut fixes?

nedjo’s picture

nedjo
he/him/his
Primary language English
CreditAttribution: nedjo commented

@ergonlogic: to what extent might a module like Paranoia, https://drupal.org/project/paranoia, provide a more flexible solution? E.g., blocking access to all module enabling or permission administration would severely limit site administration. Maybe instead implement some of the paranoia hooks in e.g. a custom module or install profile?

nedjo’s picture

nedjo
he/him/his
Primary language English
CreditAttribution: nedjo commented
Status: Active » Postponed (maintainer needs more info)
nedjo’s picture

nedjo
he/him/his
Primary language English
CreditAttribution: nedjo commented

Also potentially relevant: Custom Permissions module. Can be used to grant subsets of site admin perms.