It is not possible to give a user access to administer users without also giving access to all settings and configuration for user accounts. This is because the "Administer Users" permission is too broad, it allows for both the administration of user accounts as well as the user settings.
This issues proposes to split this permission into two:
* Administer Users - allowing you to create/edit/delete users
* Administer User Settings - manage the user settings, emails, fields.
- needs an upgrade path and accompanying upgrade path tests (how to: http://drupal.org/node/1429136) It should be as simple as having a user that has the 'administer users' permission in D7. And then visiting admin/config/people/accounts after the upgrading and asserting the page can be accessed.
Steps to reproduce:
- Install the latest Drupal 8.x using the standard profile.
- Apply patch.
- Go to
admin/people/rolesand add new role "Person manager".
- Go to
admin/peopleand add new user with role Person manager. Also create one user for test.
- Go to
admin/peopleand add new user with role Person manager.
- Go to
admin/people/permissionsand give that role the permission to Administer users (but not Administer user settings).
- Switch to that user and edit a test user account. See that he has access to
/admin/peopleand to edit users.
- Go to
admin/config/people/accountssee that this user has access denied.
- Give that user additional Administer user settings permission
- Login with the user again and note differences (now should be possible to access to
- Try to make the account settings change back, ensure that access changes accordingly
Pages that the permission will effect:
- do we need more pages?
User interface changes
There are no user interface changes proposed by this issue.
Administer Users permission will no longer allow assess to the manage people section under configuration. You will also need the "Administer User Settings" permission
Original report by [ceardach]
If you grant a user the "Administer Users" permission, that user can also edit the "User Settings" page. This grants more permissions than I think would be intended for anyone to administer users.
The "Administer Users" permission allows the user to create, delete and block users and change their email and password. In addition to the that, it allows all configuration options available on the "User Settings" page, which is configuring the emails sent to users, and enable/disable registration, signatures and user pictures. The two capabilities should be separated.
I do not remember encountering this in Drupal 5. Access to the "User Settings" page may have been tied in to "Administer Site Configuration."
Note: You can accomplish most of what's here in 7.x with the User settings access module.
|PASSED: [[SimpleTest]]: [MySQL] 58,684 pass(es).|
|FAILED: [[SimpleTest]]: [MySQL] 59,214 pass(es), 0 fail(s), and 1,086 exception(s).|
|PASSED: [[SimpleTest]]: [MySQL] 58,635 pass(es).|
|PASSED: [[SimpleTest]]: [MySQL] 58,612 pass(es).|