At the moment to configure individual domain settings in /admin/build/domain/conf/(domain ID)
, you need the 'administer domains' permission, which also gives you the right to create and assign domains.
However, I'd like to allow people in a 'domain manager' role to configure the settings of that domain, without giving them any rights over other domains. I'm wondering what you think about a separate 'configure domain' permission? It's be something we'd need, so I'd be willing to work up a patch. I just thought I'd run it by you to see if you had any better/simpler ideas :)
This permission could also be used when configuring domain-specific blocks and menus.
Alternatively we could keep the 'administer domains' permission, but when they access the settings page for a domain we check if they are assigned to that domain. However this means they could still access the domain create forms, bulk editing etc., right?
Comment | File | Size | Author |
---|---|---|---|
#10 | domain-conf-450688-#10.patch | 1.28 KB | greg.1.anderson |
#6 | domain_conf_450688.patch | 915 bytes | greg.1.anderson |
Comments
Comment #1
agentrickardYou would need a permission in Domain Conf module, and a custom access callback on the two existing menu items.
The access callback would check if:
-- User can 'administer domains' (or, alternately, 'configure all domains').
- or -
-- User can 'configure assigned domains' AND user is member of the domain being edited.
I would prefer not to make this change right now, as we are trying to get a stable release out.
#443296: Tasks for stable release
A patch would need to include documentation changes.
Comment #2
agentrickardComment #3
agentrickardWe should consider splitting out the permissions for all sub-modules.
- Domain Alias
- Domain Conf
- Doman Content
- Domain Theme
The others are already separated or not relevant.
Two ideas:
1) Just do it. Give all the submodules their own perms.
2) use hook_domain_perm() to allow modules to add their permissions settings to DA's. I think this makes for a cleaner interface.
Comment #4
agentrickardNo responses. Postponed for D7.
Comment #5
agentrickardComment #6
greg.1.anderson CreditAttribution: greg.1.anderson commentedI needed this functionality as well, only for the domain_conf settings page, and for the domain_theme configuration page. I could get much of the desired behavior just by using hook_menu_alter to adjust the permissions handler for the form that I need. The code looks something like this:
This works pretty well, except that the domain_conf settings page has no contents, due to the way permissions are tested for individual items on the page. The attached patch works around this problem by making an additional test for a similarly-named permission "for assigned domains".
If the overall technique here seems sound, I could roll together a patch that brought the hooks above into the domain_conf module, with documentation. Note, however, that with the current state of this code, there is no good way for a domain admin with limited permissions to navigate to these pages, as the admin pages that contain the links to them are inaccessible. Fixing this would take additional work. I don't have a proposal for this part quite yet, but will be working on it.
You may put this back to "Closed, won't fix" if this feature is not desired.
Comment #7
greg.1.anderson CreditAttribution: greg.1.anderson commentedNote also that the above example defines only the 'administer site configuration for assigned domains' permission, but some might also want to define additional permissions to enable other sections of the domain_conf settings page. The other permissions currently possible include 'administer domains for assigned domains', 'administer menu for assigned domains', and 'administer themes for assigned domains'.
Comment #8
greg.1.anderson CreditAttribution: greg.1.anderson commentedTo give the user a way to get to the domain_conf settings form and the domain_theme configuration form, I expanded the hook_menu_alter to enable the domain list and domain edit page, and use hook_form_alter to disable the controls on the edit page that I don't want domain admins to be able to edit (unless they have 'administer domains').
With a little more work to similarly filter the domain list, and also disable theme switching (unless the user has a specific permission to allow that), this should be pretty usable, and could be rolled in to the domain_conf module if desired.
Comment #9
greg.1.anderson CreditAttribution: greg.1.anderson commentedI refined the permissions and hooks to allow users with configuration permissions for their assigned domains only to still be able to see the top-level pages that they need to (in order to navigate down to the pages that they can edit) without being able to edit items they do not have permission to modify. The patch in #6 combined with the custom module shown below works really well.
I just need some feedback on whether this functionality should be rolled into domain_conf (best option, I think), or kept separate, as shown here. Once that is decided, I can put together another patch with documentation.
Comment #10
greg.1.anderson CreditAttribution: greg.1.anderson commentedI am still using the patch from #6, although the one that is posted is inexplicably missing a
$global user
declaration. Here's an updated patch that includes that.This patch represents the minimum amount of changes that could be made to domain_conf to allow a contrib module to provide additional permissions allowing for a site to have administrators that can configure certain admin functions for domains they are assigned to, but not to other domains. If there is any interest in having this as a core feature of the domain module, I'd be happy to expand the patch to include the features shown in #8 and #9 as part of the core domain module, and document it.
Comment #11
agentrickardInteresting. I like the small code approach here. Do be careful to check that domain_user values are loaded, there are some edge cases where permissions are checked before a full user load has happened.